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O Abstract 
(N 

This paper presents a semantics of self-adjusting computation and proves that the seman- 
tics are correct and consistent. The semantics integrate change propagation with the classic 
idea of memoization to enable reuse of computations under mutation to memory. During eval- 
uation, reuse of a computation via memoization triggers a change propagation that adjusts the 
,—— i reused computation to reflect the mutated memory. Since the semantics integrate memoization 

H-] and change-propagation, it involves both non-determinism (due to memoization) and muta- 

tion (due to change propagation). Our consistency theorem states that the non-determinism 
is not harmful: any two evaluations of the same program starting at the same state yield the 
i— i same result. Our correctness theorem states that mutation is not harmful: self-adjusting pro- 

| grams are consistent with purely functional programming. We formalize the semantics and 

J> their meta-theory in the LF logical framework and machine check our proofs using Twelf. 

OO 

1 Introduction 

Many applications operate on data that changes over time. Self-adjusting computation is a tech- 
nique that enables program to respond to changes to their data (e.g., inputs/arguments, external 
state, or outcome of tests). Advances on self-adjusting computation show that it can speed up re- 
sponse times by orders of magnitude over recomputing from scratch, closely matching best-known 
(problem- specific) algorithms both in theory and in practice (e.g., (3]|). More recent results show 
that the approach can even enable solving challenging open problems that have resisted traditional 
algorithmic approaches (e.g. SO). 

Key to effectiveness of self-adjusting computation is a technique that integrates change propa- 
gation BH, and the classic idea of memoization ifTTl . Due to an interesting duality between mem- 
oization and change propagation, combining them turns out to be crucial for efficiency. This 
technique was first developed in two previously published conference papers. One paper focused 
on algorithmic, implementation, and experimental aspects (journal version (3]|). The other formal 
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on the formal aspects and the semantics [5]; this paper is a full version of that conference paper, 
which it extends by providing full, machine-checked proofs. After its publication, the approach 
proposed in this paper has essentially served as the foundation for many of the followup work 
on self-adjusting computation. It has been implemented as a Standard ML library [3] and gen- 
eralized to support imperative references [2]. These results set the stage for the development of 
the CEAL 011 and Delta ML, which provide direct language support for self-adjusting computa- 
tion |fT5l 

Integrating change propagation and memoization poses a major challenge because the tech- 
niques are far from being orthogonal: memoization traditionally requires purely functional pro- 
gramming, whereas change propagation is destructive and critically relies on mutation. Here, we 
overcome this challenge by presenting a general semantic framework that integrates them. We 
model memoization as a non-deterministic oracle; this ensures that the semantics apply to many 
different ways in which memoization can be realized. We prove two main theorems stating that 
the semantics are consistent and correct (Section[3]). The consistency theorem states that the non- 
determinism (due to memoization) is harmless by showing that any two evaluations of the same 
program in the same store yield the same result. The correctness theorem states that self-adjusting 
computation is consistent with purely functional programming by showing that evaluation returns 
the (observationally) same value as a purely functional evaluation. Our proofs do not make any 
assumptions about typing. Our results therefore apply in both typed and untyped settings. 

To study the semantics we extend the adaptive functional language AFL flU, which support 
change propagation, with a construct for memoization. We call this language AML (Section |2j). 
The dynamic semantics of AML are store-based. Mutation to the store between successive evalua- 
tions models incremental changes to the input. The evaluation of an AML program also allocates 
store locations and updates existing locations. A memoized expression is evaluated by first con- 
sulting the memo-oracle, which non-deterministically returns either a miss or a hit. In evaluation, 
a hit returns a trace of the evaluation of the memoized expression, which is recursively adapted to 
mutations by performing a change propagation on the returned trace. Intuitively, the idea is to re- 
use computations (represented via traces) themselves and recursively perform change propagation 
on re-used computations to adapt them according to mutations. This contrasts with conventional 
memoization where results of computations are re-used in a purely functional (mutation free) set- 
ting. 

The proofs for the correctness and consistency theorems (Section [3]) are made challenging be- 
cause the semantics consist of a complex set of judgments (where change propagation and ordinary 
evaluation are mutually recursive), and because the semantics involve mutation and two kinds of 
non-determinism: non-determinism in memory allocation, and non-determinism due to memoiza- 
tion. Due to mutation, we are required to prove that evaluation preserves certain well-formedness 
properties (e.g., absence of cycles and dangling pointers). Due to non-deterministic memory allo- 
cation, we cannot compare the results from different evaluations directly. Instead, we compare val- 
ues structurally by comparing the contents of locations. To address non-determinism due to mem- 
oization, we allow evaluation to recycle existing memory locations. Based on these techniques, we 
first prove that memoization is harmless: for any evaluation there exists a memoization-free coun- 
terpart that yields the same result without reusing any computations. Based on structural equality, 
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we then show that memoization-free evaluations and fully deterministic evaluations are equivalent. 
These proof techniques may be of independent interest. 

To increase confidence in our results, we encoded the syntax and semantics of AML and its 
meta-theory in the LF logical framework lfT2l and machine-checked the proofs using Twelf lfT8ll 
(Section [5]). The Twelf formalization consist of 7800 lines of code. The Twelf code is fully 
foundational: it encodes all background structures required by the proof and proves all lemmas 
from first principles. We include the full Twelf code in the appendix (Appendix [A]). We note that 
checking the proofs in Twelf was not a merely an encoding exercise. In fact, our initial attempts 
at producing a paper-and-pencil proof have failed. The process of creating and checking the proof 
mechanically in Twelf allowed us to come up with the proof, while also helping us simplify the 
rule systems and generalize the proof to untyped languages. We therefore feel that the use of Twelf 
was critical to this result. 

Since the semantics model memoization as a non-deterministic oracle, and since it does not 
specify how the memory should be allocated while allowing pre-existing locations to be recycled, 
the dynamic semantics of AML do not translate to an algorithm directly. In Section [6j we describe 
some implementation strategies for realizing the AML semantics. 

2 The Language 

We describe a language, called AML, that combines the features of an adaptive functional lan- 
guage (AFL) [4] with memoization. The syntax of the language extends that of AFL with memo 
constructs for memoizing expressions. The dynamic semantics integrate change propagation and 
evaluation to ensure correct reuse of computations under mutations. As explained before, our re- 
sults do not rely on typing properties of AML. We therefore omit a type system but identify a 
minimal set of conditions under which evaluation is consistent. In addition to the memoizing and 
change -propagating dynamic semantics, we give a pure interpretation of AML that provides no 
reuse of computations. 

2.1 Abstract syntax 

The abstract syntax of AML is given in Figure [T] We use meta- variables x, y, and z (and variants) 
to range over an unspecified set of variables, and meta-variable I (and variants) to range over 
a separate, unspecified set of locations — the locations are modifiable references. The syntax of 
AML is restricted to "2/3-cps", or "named form", to streamline the presentation of the dynamic 
semantics. 

Expressions are classified into three categories: values, stable expressions, and changeable 
expressions. Values are constants, variables, locations, and the introduction forms for sums, prod- 
ucts, and functions. The value of a stable expression is not sensitive to modifications to the inputs, 
whereas the value of a changeable expression may directly or indirectly be affected by them. 

The familiar mechanisms of functional programming are embedded in AML as stable expres- 
sions. Stable expressions include the let construct, the elimination forms for products and sums, 
stable-function applications, and the creation of new modifiables. A stable function is a function 
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: = ()\n\x\l \ (v\,V2) inj_ v in r v 
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Exp. 
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St. Exp. 


e s 


:= v\o(vi,...,v n ) | mod e c | memo s e s | apply s (vi,v 2 ) 
let x = e s in e' s let x\ XX2 = v in e s \ 
case!) of in^ (xi) =>■ e s I in r (X2) =>• e' s end 


Ch. Exp. 


e c 


:= write (w) read ?; as x in e c memoc e c apply c (wi, t>2 ) 
let 1 = e s in e c let xi XX2 = v in e c 
casefof in]_ (xi) =>- e c I in r (X2) e' c end 


Program 


V 


: = e s 



Figure 1: The abstract syntax of AML. 



whose body is a stable expression. The application of a stable function is a stable expression. The 
expression mod e c allocates a modifiable reference and initializes it by executing the changeable 
expression e c . Note that the modifiable itself is stable, even though its contents is subject to change. 
A memoized stable expression is written memo s e s . 

Changeable expressions always execute in the context of an enclosing mod-expression that 
provides the implicit target location that every changeable expression writes to. The changeable 
expression write {v) writes the value v into the target. The expression read v as x in e c 
binds the contents of the modifiable v to the variable x, then continues evaluation of e c . A read 
is considered changeable because the contents of the modifiable on which it depends is subject to 
change. A changeable function is a function whose body is a changeable expression. A changeable 
function is stable as a value. The application of a changeable function is a changeable expression. 
A memoized changeable expression is written memo c e c . The changeable expressions include the 
let expression for ordering evaluation and the elimination forms for sums and products. These 
differ from their stable counterparts because their bodies consists of changeable expressions. 



2.2 Stores, well-formed expressions, and lifting 

Evaluation of an AML expression takes place in the context of a store, written a (and variants), 
defined as a finite map from locations I to values v. We write dom(cr) for the domain of a store, 
and a (I) for the value at location /, provided / £ dom(cr). We write a[l ^— v] to denote the 
extension of a with a mapping of I to v . If I is already in the domain of a, then the extension 
replaces the previous mapping. 

r. j V if / = I' 

<r[l<-v\{l) - I a{ll) if i^i> md i> e dom ( a ) 
dom((j[/ <— v]) = dom(cr) U {1} 
We say that an expression e is well-formed in store a if 1) all locations reachable from e in a 
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I £ dom(cj) a(l),a^>v,L v±, a ^> v[, L± V2,cr v' 2 , L 2 

w,cr-^4w,0 Z, a —4 {/} U L (vi, V2), <t — >■ (v[, v' 2 ), L\ U L2 

wf , r wf , r wf , T 

e c ,a — >e c ,L v,a — >v,L v,a — >v,L 



mod e c , (J mod e' c , L -"- n {l, r} u ' ^ -"- n {l, r} v> 1 L write (v) , <r -^4 write (v') , L 



wf , r 
e, a — > e , -L 



fun{ SiC } fix) is e,cr ^4 fun {SiC } /(x) is e',L 

wf , r wf , T 

vi,a — >v'i,Li ••• v n ,a — >v n ,L n 

o (vi, ...,v n ),a ^4 o (v[, ...,v' n ),L 1 U---UL n 
wf , T wf , r 

Vl,(7 >V V Li V 2 ,(T >V 2 ,L2 

apply{ S ,c} (vi,v 2 ) ,a ^4 apply {SiC} (v[,v 2 ),Li U L 2 

wf / T wf , r , 

ei,<7 — ) , e 1 ,-L e2,cr — >e 2 ,L 

let x = ei in e2, cr -^4 let x = e' x in e 2 , LU L' 

wf / r wf , T , 

v,a — >v,L e,a — >e,L 

let x\ x X2 = f in e, a let xi XX2 = v' in e', LU L' 

wf , T wf / r wf , T 

v,a — >v,L e\,a — >e 1 ,Li e2,a — > e 2 , L2 

1 s wf 

(caseuof in^ (xi) =>■ e\ | in r (X2) =>■ e2end),<T — > 

(case v' of in^ (xi) =>- e' x | in r (X2) =>■ e' 2 end), L U Li U L2 

wf / r 

e, a — >■ e , L 



memo{ S>C } e, cr ^4 memo{ SjC } e', L 
wf / r wf , r/ 

read w as x in e c , a read 7/ as x in e' c , LU L' 



Figure 2: Well-formed expressions and lifts. 
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are in dom(cr) ("no dangling pointers"), and 2) the portion of a reachable from e is free of cycles. 
If e is well-formed in a, then we can obtain a "lifted" expression e' by recursively replacing every 
reachable location I with its stored value a (I). The notion of lifting will be useful in the formal 
statement of our main theorems (Section [3]). 

We use the judgment e, a e', L to say that e is well-formed in a, that e' is e lifted in a, 
and that L is the set of locations reachable from em a. The rules for deriving such judgments are 
shown in Figure|2j Any finite derivation of such a judgment implies well-formedness of e in a. 

We will use two notational shorthands for the rest of the paper: by writing e t er or reach (e, a) 
we implicitly assert that there exist a location-free expression e' and a set of locations L such that 

e, a e', L. The notation efcr itself stands for the lifted expression e', and reach (e, a) stands 
for the set of reachable locations L. It is easy to see that e and a uniquely determine e | a and 
reach (e, a) (if they exist). 

2.3 Dynamic semantics 

The evaluation judgments of AML (Figures [5] and [6]) consist of separate judgments for stable and 
changeable expressions. The judgment a, e J| s v,a',T s states that evaluation of the stable ex- 
pression e relative to the input store a yields the value v, the trace T s , and the updated store a'. 
Similarly, the judgment a, I <— e J| c a', T c states that evaluation of the changeable expression e 
relative to the input store a writes its value to the target I, and yields the trace T c together with the 
updated store a'. 

A trace records the adaptive aspects of evaluation. Like the expressions whose evaluations they 
describe, traces come in stable and changeable varieties. The abstract syntax of traces is given by 
the following grammar: 

Stable T s : : = e | mod I <- T c | let T s T s 

Changeable T c : : = write v \ let T s T c | readi^ x= „. e T c 

A stable trace records the sequence of allocations of modifiables that arise during the evaluation of 
a stable expression. The trace mod / ^— T c records the allocation of the modifiable / and the trace 
of the initialization code for I. The trace let T s T' s results from evaluating a let expression in 
stable mode, the first trace resulting from the bound expression, the second from its body. 

A changeable trace has one of three forms. A write, write v, records the storage of the value 
v in the target. A sequence let T s T c records the evaluation of a let expression in changeable 
mode, with T s corresponding to the bound stable expression, and T c corresponding to its body. A 
read read;- >a;= „. e T c specifies the location read (I), the value read (v), the context of use of its 
value (x.e) and the trace (T c ) of the remainder of the evaluation within the scope of that read. This 
records the dependency of the target on the value of the location read. 
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a, e s ^ s v, a', T 
alloc (T) n reach (e s , cr) = 



(valid/s) 



cr, Z <- e c J| c cr', T 
alloc (T) n reach (e c , a) = 
/ reach (e c ,cr) U alloc (t) 

cr, Z <- e c ^ (T / ) T 



(valid/c) 



Figure 3: Valid evaluations. 



We define the set of allocated locations of a trace T, denoted alloc (t), as follows: 



alloc (e) 
alloc (write v) 
alloc (mod / <- T c ) 
alloc (let Ti T 2 ) 
alloc (readi^^.e T c ) 



{/} U alloc (T c ) 
alloc (Ti) U alloc (T 2 ) 
alloc (T c ) 



let (mod/i <— write 2) (read| r 



>x=2.e 



W 



rite 3), then alloc (T samp i c ) 



For example, if T samp i c 
{h}- 

Well-formedness, lifts, and primitive operations. We require that primitive operations pre- 
serve well-formedness. In other words, when a primitive operation is applied to some arguments, 
it does not create dangling pointers or cycles in the store, nor does it extend the set of locations 
reachable from the argument. Formally, this property can be states as follows. 

If Vi.Vi,a ^4 v'^Li and v = o (vi, ...,v n ), 
then v, a v', L such that L C \J™ =1 Li. 

Moreover, no AML operation is permitted to be sensitive to the identity of locations. In the 
case of primitive operations we formalize this by postulating that they commute with lifts: 

If Vi.Vi,a ^4 v' v Li and v = o (v±, ... ,v n ) , 
then v, a ^4 v' , L such that v' = o (v[, . . . , v' n ) . 

In short this can be stated as o (i>itc, . . . , v n ^a) = (o {v 1: . . . , v n ) ) "\a. 

For example, all primitive operations that operate only on non-location values preserve well 
formedness and commute with lifts. 

Valid evaluations. We consider only evaluations of well-formed expressions e in stores a, 
i.e., those e and a where e | a and reach (e, cr) are defined. Well-formedness is critical for 
proving correctness: the requirement that the reachable portion of the store is acyclic ensures that 
the approach is consistent with purely functional programming, the requirement that all reachable 
locations are in the store ensures that evaluations do not cause disaster by allocating a "fresh" 
location that happens to be reachable. We note that it is possible to omit the well-formedness 
requirement by giving a type system and a type safety proof. This approach limits the applicability 
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=■ (miss/s) — s ^ ok „ ' — — — (hit/s) 

ff,e s t a,e s | s v, T 



cr ,Z <- e c JJ-^ k o-A, T 
(miss/c) — ,^ ok (hit/c) 



a,e c t ci,e c | c T 



Figure 4: The oracle. 



of the theorem only to type-safe programs. Because of the imperative nature of the dynamic 
semantics, a type safety proof for AML is also complicated. We therefore choose to formalize 
well-formedness separately. 

Our approach requires showing that evaluation preserves well-formedness. To establish well- 
formedness inductively, we define valid evaluations. We say that an evaluation of an expression e 
in the context of a store o is valid, if 

1 . e is well-formed in a, 

2. the locations allocated during evaluation are disjoint from locations that are initially reach- 
able from e (i.e., those that are in reach (e, a)), and 

3. the target location of a changeable evaluation is contained neither in reach (e, a) nor the 
locations allocated during evaluation. 

We use |L^ k instead of |L S and |L^ k instead of J| c to indicate valid stable and changeable 
evaluations, respectively. The rules for deriving valid evaluation judgments are shown in Figure [3] 

The Oracle. The dynamic semantics for AML use an oracle to model memoization. Figure [4] 
shows the evaluation rules for the oracle. For a stable or a changeable expression e, we write 
an oracle miss as a, e f s or tr, I f- e c t c , respectively. The treatment of oracle hits depend on 
whether the expression is stable or changeable. For a stable expression, it returns the value and the 
trace of a valid evaluation of the expression in some store. For a changeable expression, the oracle 
returns a trace of a valid evaluation of the expression in some store with some destination. 

The key difference between the oracle and conventional approaches to memoization is that 
the oracle is free to return the trace (and the value, for stable expressions) of a computation that 
is consistent with any store — not necessarily with the current store. Since the evaluation whose 
results are being returned by the oracle can take place in a different store than the current store, 
the trace and the value (if any) returned by the oracle cannot be incorporated into the evaluation 
directly. Instead, the dynamic semantics perform a change propagation on the trace returned by 
the oracle before incorporating it into the current evaluation (this is described below). 

Stable Evaluation. Figure [5] shows the evaluation rules for stable expressions. Most rules are 
standard for a store-passing semantics except that they also return traces. The interesting rules are 
those for let, mod, and memo. 
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v = app (o, (vi, ...,v n )) . 
iis (value) - — -g (prim.'s) 

a, f v, a, e a,o {vi, . . . ,v n ) v,a,e 

l<£ alloc (T) cr, Z <- e JJ- C cr', T 



cr, mod e JJ- & Z, cr, mod Z «- T 



(mod) 



cr, e JJ- s v,cr',T a, T A cr', t' 

-= . (memo/miss) -= . . (memo/hit) 

a, memos e ij- v,a ,1 a, memos e JJ- v, cr , T 



■ui = fun s fjx) is e a, [vi/f,v 2 /x] e JJ- S i>,cr', T 
cr, apply s (i;i,i; 2 ) JJ- S f,cr',T 

cr, ei JJ- S v 1 ,a 1 ,T 1 ai, [vi/x] e 2 JJ- S v 2 , cr 2 , T 2 alloc (Ti) n alloc (T 2 ) 



(apply) 

o) =0 

(let) 



cr, let x = ei in e 2 JJ- S t> 2 , cr 2 , let Ti T 2 
<7,[vi/x 1 ,v 2 /x 2 ]e J| s -u,cr',T 



cr, let x\ xx 2 = (fi,f 2 )ine ij- s v,a',T 

CJ, [v/xi] ei J| S */,Cr',T 



— (letx) 



cr, case inj_ f of in^ (xi ) ei | in r (x 2 ) =>■ e 2 end JJ- S v' , cr', T 
cr, [u/x 2 ] e 2 J| s t/,cr',T 



(case/inl) 



cr, casein r vofin]_ (xi ) =>- e\ | in r (x 2 ) =>- e 2 end JJ- v ,<r,T 



Figure 5: Evaluation of stable expressions. 



, — , — (case/inr) 
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cr, I <— write (v) -IJ- C a[l <— v], write v 
a,l<- [a(l')/x] e ^ c a',T 
cr, Z <— read Z' as x in e JJ- C ■> rea( ii'^x=a(l').e T 



(write) 

(read) 



u,e t c a ' e + T 

cr, e J| c cr',T d,l<-T ^ cr', T' 



- — (memo/miss) — -= — -. — -. (memo/hit) 

cr, I i — rnemoc 6 4 o,T cr, Z <— memo c e JJ- cr , T 

m = fun c /(x) is e cr, / «- [v i/f, v 2 /x] e JJ. C cr', T 

= - (apply) 
<7,i -<— apply c («i,«2) v cr,T 

cr,ei -II s u,(Ti,Ti cri,/ ^ [w/x] e 2 -il C CT2,T 2 alloc (Ti) n alloc (T 2 ) = n , 

(let) 



cr, Z ^— let x = ei in e 2 JJ- cr 2 , let Ti T; 

cr, Z [v 1 /xi,v 2 /x 2 \ e J| c cr', T 
cr, I <— let xi xx 2 = (fi,f 2 )ine JJ- C cr', T 
cr,Z [w/sj] ei J| c cr', T 



(letx) 

(case/inl) 



cr, Z 4 — case in^ v of in^ (x\) => &\ \ in r (x 2 ) =>• e 2 end JJ- C cr', T 
cr, Z <- [«/x 2 ] e 2 -il c cr',T 



a, case in r v of in^ (xi) => ej I in r (x 2 ) =>• e 2 end JJ- cr , T 



Figure 6: Evaluation of changeable expressions. 



- — (case/inr) 



The let rule sequences evaluation of its two expressions, performs binding by substitution, 
and yields a trace consisting of the sequential composition of the traces of its sub-expressions. For 
the traces to be well-formed, the rule requires that they allocate disjoint sets of locations. The mod 
rule allocates a location Z, adds it to the store, and evaluates its body (a changeable expression) 
with Z as the target. To ensure that Z is not allocated multiple times, the rule requires that Z is not 
allocated in the trace of the body. Note that the allocated location does not need to be fresh — it can 
already be in the store, i.e., Z G dom(cr). Since every changeable expression ends with a write, it 
is guaranteed that an allocated location is written before it can be read. 

The memo rule consults an oracle to determine if its body should be evaluated or not. If the 
oracle returns a miss, then the body is evaluated as usual and the value, the store, and the trace 
obtained via evaluation is returned. If the oracle returns a hit, then it returns a value v and a trace 
T. To adapt the trace to the current store a, the evaluation performs a change propagation on T in 
a and returns the value v returned by the oracle, and the trace and the store returned by change 
propagation. Note that since change propagation can change the contents of the store, it can also 
indirectly change the (lifted) contents of v. 

Changeable Evaluation. Figure [6] shows the evaluation rules for changeable expressions. 
Evaluations in changeable mode perform destination passing. The let, memo, apply rules 
are similar to the corresponding rules in stable mode except that the body of each expression 
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Z alloc (t') o",e rv a,e 



- (empty) 



c 



cr, Z •<— T rx a', T' 



(mod) - (write) 



5 v J Q 

(j, mod i f- T rx a 7 , mod / T' (7,1 <- write u rx a [I <— v], write v 



a, Ti A cr'jTi a, Ti A cr', Tj 

Cr',T 2 A Cr",T' 2 Cr',Z^T 2 A Cr",T' 2 

alloc (Ti) n alloc (t' 2 ) = alloc (t[) n alloc (t' 2 ) = 

= (let/s) 1 — = -(let/c) 

c, let Ti T 2 r> cr", let Ti T 2 cr, Z «- (let Ti T 2 ) r\ cr", (let T' x T 2 ) 

cr(Z') =« a (j',T' 

(read/no ch.) 



a, I <- readi>^ v=x . e T rx a', read t '^ v=x , e r 

a(Z')^ a,Z^ [cr(Z')/x]e ^ c a', t' ^ ^ 
(read/ch.) 

a, I <- read^^.e T r> a', ready ^ x=ff (i>y e T' 



Figure 7: Change propagation judgments. 



is evaluated in changeable mode. The read expression substitutes the value stored in a at the 
location being read I' for the bound variable x in e and continues evaluation in changeable mode. 
A read is recorded in the trace, along with the value read, the variable bound, and the body of the 
read. A write simply assigns its argument to the target in the store. The evaluation of memoized 
changeable expressions is similar to that of stable expressions. 

Change propagation. Figure [7] shows the rules for change propagation. As with evaluation 
rules, change-propagation rules are partitioned into stable and changeable, depending on the kind 

of the trace being processed. The stable change-propagation judgment a, T s rx a', T' s states that 
change propagating into the stable trace T s in the context of the store a yields the store a' and the 

stable trace T' s . The changeable change-propagation judgment cr, I T c rx cr', T' c states that 
change propagation into the changeable trace T c with target I in the context of the store a yields 
the changeable trace T' c and the store a'. The change propagation rules mimic evaluation by either 
skipping over the parts of the trace that remain the same in the given store or by re-evaluating the 
reads that read locations whose values are different in the given store. The rules are labeled with 
the expression forms they mimic. 

If the trace is empty, change propagation returns an empty trace and the same store. The mod 
rule recursively propagates into the trace T for the body to obtain a new trace T ; and returns a 
trace where T is substituted by T 7 under the condition that the target Z is not allocated in T'. This 
condition is necessary to ensure the allocation integrity of the returned trace. The stable let rule 
propagates into its two parts T x and T 2 recursively and returns a trace by combining the resulting 
traces Ti and T 2 provided that the resulting trace ensures allocation integrity. The write rule 
performs the recorded write in the given store by extending the target with the value recorded 
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in the trace. This is necessary to ensure that the result of a re-used changeable computation is 
recorded in the new store. The read rule depends on whether the contents of the location I' being 
read is the same in the store as the value v recorded in the trace. If the contents is the same as in 
the trace, then change propagation proceeds into the body T of the read and the resulting trace is 
substituted for T. Otherwise, the body of the read is evaluated with the specified target. Note 
that this makes evaluation and change-propagation mutually recursive — evaluation calls change- 
propagation in the case of an oracle hit. The changeable let rule is similar to the stable let. 

Most change-propagation judgments perform some consistency checks and otherwise propa- 
gate forward. Only when a read finds that the location in question has changed, it re-runs the 
changeable computation that is in its body and replaces the corresponding trace. 

Evaluation invariants. Valid evaluations of stable and changeable expressions satisfy the 
following invariants: 

1 . All locations allocated in the trace are also allocated in the result store, i.e., if a, e JJ^ k f, cr', T 
or cr, I <- e JJ^ k cr', T, then dom(cr') = dom(cr) U alloc (t). 

2. For stable evaluations, any location whose content changes is allocated during that evalua- 
tion, i.e., if cr, e JJ-^ k v, cr', T and a' (I) ^ a (I), then / e alloc (t). 

3. For changeable evaluations, a location whose content changes is either the target or gets 
allocated during evaluation, i.e, if a, I' <— e J|^ k cr', T and cr'(/) ^ <j(Z), then / G alloc (t)U 

{/')• 

Memo-free evaluations. The oracle rules introduce non-determinism into the dynamic seman- 
tics. Lemmas [5] and [6] in Section [3] express the fact that this non-determinism is harmless: change 
propagation will correctly update all answers returned by the oracle and make everything look as 
if the oracle never produced any answer at all (meaning that only memo/miss rules were used). 

We write cr, e JJ-f v, a', T or cr, I <— e JJ-F cr', T if there is a derivation for cr, e J| s v, cr', T or 
cr, I -r- e |L C cr', T, respectively, that does not use any memo/hit rule. We call such an evaluation 
memo-free. We use J|^ ok in place of JJ/^ k and JJ^ ok in place of |L^ k to indicate that a valid 
evaluation is also memo-free. 

2.4 Deterministic, purely functional semantics 

By ignoring memoization and change-propagation, we can give an alternative, purely functional, 
semantics for location-free AML programs, which we present in Figure [8j This semantics gives a 
store-free, pure, deterministic interpretation of AML that provides for no computation reuse. Under 
this semantics, both stable and changeable expressions evaluate to values, memo, mod and write 
are simply identities, and read acts as another binding construct. Our correctness result states 
that the pure interpretation of AML yields results that are the same (up to lifting) as those obtained 
by AML' s dynamic semantics (Section [3]). 
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Figure 8: Purely functional semantics of (location-free) expressions 
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Figure 9: The structure of the proofs. 



3 Consistency and Correctness 

We now state consistency and correctness theorems for AML and outline their proofs in terms 
of several main lemmas. As depicted in Figure [9j consistency (Theorem [T]) is a consequence of 
correctness (Theorem[2]). 



3.1 Main theorems 



Consistency uses structural equality based on the notion of lifts (see Section 2.2 ) to compare the re- 
sults of two potentially different evaluations of the same AML program under its non-deterministic 
semantics. Correctness, on the other hand, compares one such evaluation to a pure, functional 
evaluation. It justifies saying that even with stores, memoization and change propagation, AML is 
essentially a purely functional language. 

Theorem 1 (Consistency) 

Ifa,e ^ui,«7i, Tt anda,e J>f k v 2 , <r 2 , T 2 , then v\ t^i = v 2 1;a 2 . 

Theorem 2 (Correctness) 

If a, e ^ s k v, a', T, then (e | a) lj-g t {v f a'). 

Recall that by our convention the use of the notation v t o implies well-formedness of v in 
a. Therefore, part of the statement of consistency is the preservation of well-formedness during 
evaluation, and the inability of AML programs to create cyclic memory graphs. 



3.2 Proof outline 

The consistency theorem is proved in two steps. First, Lemmas [3] and [4] state that consistency is 
true in the restricted setting where all evaluations are memo-free. 
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Lemma 3 (purity/st.) 

If <r, e fek w > r > then ( e t o") Ct ( v T O- 
Lemma 4 (purity/ch.) 

If a, I <r- e ^ c ok a', T, then (e t a) i±g t (I t </). 

Second, Lemmas [5] and [6] state that for any evaluation there is a memo-free counterpart that 
yields an identical result and has identical effects on the store. Notice that this is stronger than say- 
ing that the memo-free evaluation is "equivalent" in some sense (e.g., under lifts). The statements 
of these lemmas are actually even stronger since they include a "preservation of well-formedness" 
statement. Preservation of well-formedness is required in the inductive proof. 

Lemma 5 (memo-freedom/st.) 

Ifa,e ^ k v,a', T, thena,e JJ-^ v,a', T where reach (v, a') C reach (e, a) U alloc(T). 
Lemma 6 (memo-freedom/ch.) 

If a, I <(— e JJ.£ a', T, then a, I <- e JJ.^ a', T where reach (a' (I), a') C reach (e, a) U 
alloc(r). 

The proof for Lemmas [5] and [6] proceeds by simultaneous induction over the expression e. 
It is outlined in far more detail in Section HI Both lemmas state that if there is a well-formed 
evaluation leading to a store, a trace, and a result (the value v in the stable lemma, or the target 
I in the changeable lemma), the same result (which will be well-formed itself) is obtainable by a 
memo-free run. Moreover, all locations reachable from the result were either reachable from the 
initial expression or were allocated during the evaluation. These conditions help to re-establish 
well-formedness in inductive steps. 

The lemmas are true thanks to a key property of the dynamic semantics: allocated locations 
need not be completely "fresh" in the sense that they may be in the current store as long as they 
are neither reachable from the initial expression nor get allocated multiple times. This means 
that a location that is already in the store can be chosen for reuse by the mod expression (Fig- 
ure [5]). To see why this is important, consider as an example the evaluating of the expression: 
memo s (mod (write (3) )) in a. Suppose now that the oracle returns the value I and the trace T : 
cr 0) mod (write (3) ) J| s I, a' , T . Even if / G dom(cx), change propagation will simply update 
the store as a\l ^— 3] and return /. In a memo-free evaluation of the same expression the oracle 
misses, and mod must allocate a location. Thus, if the evaluation of mod were restricted to use 
fresh locations only, it would allocate some V $ dom(cr), and return that. But since I E dom(cr), 
/ ^ V. 

4 The Proofs 

This sections presents a proof sketch for the four memo-elimination lemmas as well as the two 
lemmas comparing AML's dynamic semantics to the pure semantics (Section|3]). We give a detailed 
analysis for the most difficult cases. These proofs have all been formalized and machine-checked 
in Twelf (see Section [5]). 
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4.1 Proofs for memo-elimination 



Informally speaking, the proofs for Lemmas [5] and [6j as well as Lemmas [8] and [9] all proceed 
by simultaneous induction on the derivations of the respective result evaluation judgments. The 
imprecision in this statement stems from the fact that, as we will see, there are instances where we 
use the induction hypothesis on something that is not really a sub-derivation of the given derivation. 
For this reason, a full formalization of the proof defines a metric on derivations which demonstrably 
decreases on each inductive step. The discussion of the formalization in Twelf in Section [5] has 
more details on this. 

Substitution 

We will frequently appeal to the following substitution lemma. It states that well-formedness and 
lifts of expressions are preserved under substitution: 

Lemma 7 (Substitution) 

If e, a e', L and v, a v', L' , then [v/x] e, o [v'/x] e', L" with L" C LU V . 
The proof for this proceeds by induction on the structure of e. 

Hit-elimination lemmas 

Since the cases for the memo/hit rules involve many sub-cases, it is instructive to separate these 
out into separate lemmas: 

Lemma 8 (hit-elimination/stable) 

Ifa ,e JJ.^ v, a' , T and a, T rx a', T where reach (e, cr) n alloc (r) = 0, 
then cr, e JJ.^ v, a', T with reach (v, a') C reach (e, a) U alloc(T). 

Lemma 9 (hit-elimination/changeable) 

If <t , Z <- e J|£ o-q, T and a, I <- T rx a', T where reach(e,a) (1 alloc(T) = and 
I reach (e, cr) U alloc(f), 

then a, I <- e ^ a', T with reach (a'(l),a') C reach (e, cr) U alloc (t). 
Proof sketch for Lemma [5] (stable memo-freedom) 

For the remainder of the current section we will ignore the added complexity caused by the need 
for a decreasing metric on derivations. Here is a sketch of the cases that need to be considered in 
the part of the proof that deals with Lemma [5] 

• value: Since the expression itself is the value, with the trace being empty, this case is trivial. 

• primitives: The case for primitive operations goes through straightforwardly using preser- 
vation of well-formedness. 
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mod: Given a, mod e JJ/f k Z, a', mod (<-Twe have 

reach (mod e, cr) fl alloc (mod I •<— T) = 0. 

This implies that Z ^ reach (mod e, a). By the evaluation rule mod it is also true that 
cr, e J| c a', T and Z ^ alloc (t). By definition of reach and alloc we also know that 
reach (e, a) fl alloc (t) = 0, implying a, e J|^ k a', T. 

By induction (using Lemma|6| we get a, I e ^ a', T with reach (cr'(l), cr') C reach (e, 
alloc (t). Since Z is the final result, we find that 

reach (I, a') = reach (a' (I), a') U {/} 

C reach (e, cr) U alloc (t) U {/} 

= reach (e, a) U alloc (mod Z •<— T) . 

memo/hit: Since the result evaluation is supposed to be memo-free, there really is no use of 
the memo/hit rule there. However, a memo/miss in the memo-free trace can be the result 
of eliminating a memo/hit in the original run. We refer to this situation here, which really 
is the heart of the matter: a use of the memo/hit rule for which we have to show that we 
can eliminate it in favor of some memo-free evaluation. This case has been factored out as a 
separate lemma (Lemma[8]), which we can use here inductively. 

memo/miss The case of a retained memo/miss is completely straightforward, using the in- 
duction hypothesis (Lemma[5]) on the subexpression e in mod e. 

let The difficulty here is to establish that the second part of the evaluation is valid. Given 

a, let x = e x in e 2 4ok u 2> c", let T x T 2 

we have L n alloc (let Ti T 2 ) = 
where L = reach (let x = ex in e 2 , cr) . 

By the evaluation rule let it is the case that cr, ei J| s vx, cr', Ti where alloc (Tj) C alloc (t 
Well-formedness of the whole expression implies well-formedness of each of its parts, so 
reach (ex, cr) C L and reach (e 2 , cr) C L. This means that reach (ei, cr)flalloc (Ti) = 
0, so cr, ex J|o k vx, cr', Ti. Using the induction hypothesis (Lemma|5]) this implies 

0-,ei Jig Wi,cr', Ti 

and reach (f 1; cr') C reach (ex, cr) U alloc (Ti) . 

Since reach (e 2 ,cr) C L we have reach (e 2 ,cr) fl alloc (Ti) = 0. Store cr' is equal 
to cr up to alloc (Ti), so reach (e 2 ,cr) = reach (e 2 , a'). Therefore, by substitution 
(Lemma [7]) we get 

reach ([vi/rc] e 2 , cr') C reach (e 2 , cr') U reach (vx, cr') 

C reach (e 2 , cr) U reach (^i, cr') 
C reach (e 2 , cr) U reach (ex, cr) 

Ualloc (Ti) 
= LUalloc(Ti) 
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Since alloc (T 2 ) is disjoint from both L and alloc (Ti), this means that a', [vi/x] e 2 J|o k ^2? , T 2 . 
Using the induction hypothesis (Lemma [5]) a second time we get 

a', [vi/x] e 2 JJ-f v 2 ,cr", T 2 , 

so by definition 

cr, let i = ei in e 2 v 2 ,a", let Ti T 2 . 

It is then also true that 

reach (t> 2 , cr") C reach ([t>i/x] e 2 , cr') U alloc (T 2 ) 

C L U alloc (Ti) U alloc (T 2 ) 

= L U alloc (let Ti T 2 ) , 

which concludes the argument. 

The remaining cases all follow by a straightforward application of Lemma [7] (substitution), 
followed by the use of the induction hypothesis (Lemma[5]). 

Proof sketch for Lemma [6] (Changeable memo-freedom) 

• write: Given a, I write (v) |L^ k a\l v], write v we clearly also have a, I ±- 
write (v ) Jj^ a[l u], write v. First we need to show that a'(l) is well-formed in 
s' — a[l <— v). This is true because a' (I) = v and I is not reachable from v in a, so the update 
to I cannot create a cycle. Moreover, this means that the locations reachable from v in a' 
are the same as the ones reachable in a, i.e., reach (v, cr) = reach (v, a'). Since nothing 
is allocated, alloc (write v) = 0, so obviously reach (cr'(/), a') C reach (v, a) U 
alloc (write v). 

• read: For the case of a, I ^— read /' as x in e 4ol a ' ■> T we observe that by definition of 
well-formedness a(l') is also well-formed in a. From here the proof proceeds by an appli- 
cation of the substitution lemma, followed by a use of the induction hypothesis (Lemma[6]). 

• memo/hit: Again, this is the case of a memo/miss which is the result of eliminating the 
presence of a memo/hit in the original evaluation. Like in the stable setting, we have factored 
this out as a separate lemma (Lemma [9]). 

• memo/miss: As before, the case of a retained use of memo/miss is handled by straightfor- 
ward use of the induction hypothesis (Lemma [6]). 

• let: The proof for the let case in the changeable setting is tedious but straightforward and 
proceeds along the lines of the proof for the let case in the stable setting. Lemma [5] is used 
inductively for the first sub-expression, Lemma [6] for the second (after establishing validity 
using the substitution lemma). 

The remaining cases follow by application of the substitution lemma and the use of the induc- 
tion hypothesis (Lemma[6]). 
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Proof of Lemma [8] (stable hit-elimination) 

• value: Immediate. 

• primitives: Immediate. 

• mod: The case of mod requires some attention, since the location being allocated may 
already be present in a, a situation which, however, is tolerated by our relaxed evaluation rule 
for mod e. We show the proof in detail, using the following calculations which establishes 
the conclusions (lines (16, 19)) from the preconditions (lines (1, 2, 3)): 



(1) 

(2) 
(3) 



(TO, I 
a, I <r 



<T, z 



(To, mode JJ.^ k Z, a' , mod I <— Tq 

5 

<t, mod I < — To rx er, modZ-<— T 

reach (e,<r) n alloc (t) = 
Z alloc (T) U reach (e,cr) 

a ,l^e Jj c a' , T 

alloc (mod I <— Tq) n reach (e, gq) = 
alloc (T ) n reach (e, (To) = 
Z reach (e, o"o) 
I alloc (T ) 

c / 
T r\ a , T 

reach (e,cr) Pi alloc (t) = 

/ reach (e,(r) 

Z alloc (T) 

-e ^0 o-',T 
reach (cr'(Z), (T 7 ) C reach (e, a) U alloc (t) 

a, mode Jig Z, cr', mod Z T 
Z reach ((/(Z),^') 
reach (I, a') = reach (cr'(Z), a') U {Z} 
reach(Z,o-') C reach (e, cr) U alloc (t) U {1} 

= reach (e, a) U alloc (mod Z «— T) 

memo/hit: This case is proved by two consecutive applications of the induction hypothesis, 
one time to obtain a memo-free version of the original evaluation (T , e 4f °0' T o> an d 
then starting from that the memo-free final result. 

It is here where straightforward induction on the derivation breaks down, since the derivation 
of the memo-free version of the original evaluation is not a sub-derivation of the overall 
derivation. In the formalized and proof-checked version (Section [5]) this is handled using an 
auxiliary metric on derivations. 

memo/miss: The case where the original evaluation of memo s e did not use the oracle and 
evaluated e directly, we prove the result by applying the induction hypothesis (Lemma[8]). 
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• let: We consider the evaluation of let x = e\ in e 2 . Again, the main challenge here is 
to establish that the evaluation of [v\/x\ e, where V\ is the result of e\, is well-formed. The 
argument is tedious but straightforward and proceeds much like that in the proof of Lemma|5] 

All remaining cases are handled simply by applying the substitution lemma (Lemma [7]) and 
then using the induction hypothesis (Lemma[8]). 

Proof of Lemma [9] (changeable hit-elimination) 

• write: We have e = write (v) and T = T = write v. Therefore, trivially, a, I ±- 
e ^ cr',T wither' = a[l <— v]. Also, reach (write (v) , a) = reach (v, a) = L. 
Therefore, reach (er'(Z), a') = L because / ^ L. Of course, L C L U alloc (t). 

• read/no ch.: We handle read in two parts. The first part deals with the situation where there 
is no change to the location that has been read. In this case we apply the substitution lemma 
to establish the preconditions for the induction hypothesis and conclude using Lemma [9j 

• read/ch.: If change propagation detects that the location being read contains a new value, 
it re-executes the body of read I' as x in e. Using substitution we establish the pre- 
conditions of Lemma [6] and conclude by using the induction hypothesis. 

• memo/hit: Like in the proof for Lemma [8} the memo/hit case is handled by two cascading 
applications of the induction hypothesis (Lemma [9]). 

• memo/miss: Again, the case where the original evaluation did not get an answer from the 
oracle is handled easily by using the induction hypothesis (Lemma [9]). 

• let: We consider the evaluation of let x = e± in e 2 . As before, the challenge is to establish 
that the evaluation of [v\/x\ e, where v% is the (stable) result of e 1? is well-formed. The 
argument is tedious but straightforward and proceeds much like that in the proof of Lemma|6j 

All remaining cases are handled by the induction hypothesis (Lemma [9]) which becomes appli- 
cable after establishing validity using the substitution lemma. 

4.2 Proofs for equivalence to pure semantics 

The proofs for Lemmas |3]and|4]proceed by simultaneous induction on the derivation of the memo- 
free evaluation. The following two subsections outline the two major parts of the case analysis. 

Proof sketch for Lemma [3] (stable evaluation) 

We proceed by considering each possible stable evaluation rule: 

• value: Immediate. 
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• primitives: Using the condition on primitive operations that they commute with lifts, this is 
immediate. 

• mod: Consider mod e c . The induction hypothesis (Lemma|4]) on the evaluation of e c directly 
gives the required result. 

• memo: Since we consider memo-free evaluations, we only need to consider the use of 
the memo/miss rule. The result follows by direct application of the induction hypothesis 
(Lemma [3]). 

• let: We have cr, let x = e\ in e 2 JJ-^ v 2 , a", let Tj T 2 . Because of validity of the original 

evaluation, we also have let x = e 1 in e 2 ,cr — — >■ L with L fl alloc (let T x T 2 ) = 0. 

Therefore, cr, e\ -l|f vi, cr', Ti where ei, cr L x and Li fl alloc (t) = because Li CI 
and alloc (Ti) C alloc (let Ti T 2 ). By induction hypothesis (Lemma|3]) we get (ej t 

^)i s ct("it4 

We can establish validity for cr', [v\/x\ e 2 Jj^ t> 2 , cr", T 2 the same way we did in the proof 
of Lemma [5j so by a second application of the induction hypothesis we get ([t>i/x] e 2 "f 
cr') J|f ct (f 2 | cr")- But b y substitution (Lemma we have ([wi/x] e 2 ) t °"' = [(^l t 
c')/x] (e 2 t o - ')- Using the evaluation rule let/p this gives the desired result. 

The remaining cases follow straightforwardly by applying the induction hypothesis (Lemma[3]) 
after establishing validity using the substitution lemma. 

Proof sketch for Lemma [4] (changeable evaluation) 

here we consider each possible changeable evaluation rule: 

• write: Immediate by the definition of lift. 

• read: Using the definition of lift and the substitution lemma, this follows by an application 
of the induction hypothesis (Lemma[4]). 

• memo: Like in the stable setting, this case is handled by straightforward application of the 
induction hypothesis because no memo hit needs to be considered. 

• let: The let case is again somewhat tedious. It proceeds by first using the induction hy- 
pothesis (Lemma [3]) on the stable sub-expression, then re-establishing validity using the 
substitution lemma, and finally applying the induction hypothesis a second time (this time in 
form of Lemma [4]). 

All other cases are handled by an application of the induction hypothesis (Lemma [4]) after 
establishing validity using the substitution lemma. 



21 



5 Mechanization in Twelf 



To increase our confidence in the proofs for the correctness and the consistency theorems, we have 
encoded the AML language and the proofs in Twelf |[T8l and machine-checked the proofs. We 
follow the standard judgments as types methodology L12J, and check our theorems using the Twelf 
metatheorem checker. For full details on using Twelf in this way for proofs about programming 
languages, see Harper and Licata's paper [?]. 

The LF encoding of the syntax and semantics of AML corresponds very closely to the paper 
judgments (in an informal sense; we have not proved formally that the LF encoding is adequate, 
and take adequacy to be evident). However, in a few cases we have altered the judgments, driven 
by the needs of the mechanized proof. For example, on paper we write memo-free and general 
evaluations as different judgments, and silently coerce memo-free to general evaluations in the 
proof. We could represent the two judgments by separate LF type families, but the proof would 
then require a lemma to convert one judgment to the other. Instead, we define a type family to 
represent general evaluations, and a separate type family, indexed by evaluation derivations, to 
represent the judgment that an evaluation derivation is memo-free. 

The proof of consistency (a metatheorem in Twelf) corresponds closely to the paper proof in 
overall structure. The proof of memo-freedom consists of four mutually-inductive lemmas: memo- 
freedom for stable and changeable expressions (Lemma [5] and Lemma [6]), and versions of these 
with an additional change propagation following the evaluation (needed for the hit cases). In the 
hit cases for these latter lemmas, we must eliminate two change propagations: we call the lemma 
once to eliminate the first, then a second time on the output of the first call to eliminate the second. 
Since the evaluation in the second call is not a subderivation of the input, we must give a separate 
termination metric. The metric is defined on evaluation derivations and simply counts the number 
of evaluations in the derivations, including those inside of change propagations. In an evaluation 
which contains change propagations, there are "garbage" evaluations which are removed during 
hit-elimination. Therefore, hit-elimination reduces this metric (or keeps it the same, if there were 
no change propagations to remove). We add arguments to the lemmas to account for the metric, 
and simultaneously prove that the metric is smaller in each inductive call, in order for Twelf to 
check termination. 

Aside from this structural difference due to termination checking, the main difference from the 
paper proof is that the Twelf proof must of course spell out all the details which the paper proof 
leaves to the reader to verify. In particular, we must encode "background" structures such as finite 
sets of locations, and prove relevant properties of such structures. While we are not the first to use 
these structures in Twelf, Twelf has poor support for reusable libraries at present. Moreover, our 
needs are somewhat specialized: because we need to prove properties about stores which differ 
only on a set of locations, it is convenient to encode stores and location sets in a slightly unusual 
way: location sets are represented as lists of bits, and stores are represented as lists of value options; 
in both representations the nth list element corresponds to the nth location. This makes it easy to 
prove the necessary lemmas by parallel induction over the lists. 

The complete Twelf code can be found in Appendix [A] 
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6 Implementation Strategies 



The dynamic semantics of AML (Section [2} does not translate directly to an algorithm, not to 
mention an efficient one. 1 In particular, an algorithm consistent with the semantics must specify 
an oracle and a way to allocate locations to ensure that all locations allocated in a trace are unique. 
Strategies for implementing the semantics beyond the scope of this paper but we briefly describe a 
conservative strategy for implementation. The strategy ensures that 

1. each allocated location is fresh (i.e., is not contained in the memory) 

2. the oracle returns only traces currently residing in the memory, 

3. the oracle never returns a trace more than once, and 

4. the oracle performs function comparisons by using tag equality. 

The first two conditions together guarantee uniqueness of allocated locations. The third condi- 
tion guarantees that no location can appear in the execution trace more than once by limiting the 
oracle from ever returning the same trace multiple times. This condition is conservative, because it 
is possible that the parts of a trace returned by the oracle are thrown away (become unused) during 
change propagation. This strategy can be relaxed by allowing the change-propagation algorithm 
to return unused traces to the oracle. The last condition enables implementing oracle queries by 
comparing functions and their arguments by using tag equality. Since in the semantics, the oracle is 
non-deterministic, this implementation strategy is consistent with the semantics. The conservative 
strategy can be implemented in such a way that the total space consumption is no more than that of 
a from-scratch run. Such an implementation has been described and evaluated elsewhere [3] and 
has formed the basis for subsequent larger-scale implementations lfTTl[T5l . 

7 Related Work 

The related work that this paper directly builds on have been discussed in the rest of the paper. Here 
we briefly discuss other related on incremental computation and the impact of the result presented 
in this paper on follow-up work on self-adjusting computation. 

The term "incremental computation" broadly refers to techniques for allowing computations 
to respond automatically to changes to their data. Motivated by the copious applications where 
such dynamically changing data arise, researchers have proposed numerous approaches to incre- 
mental computation. The most effective techniques are based on static dependence graphs flU, 
memoization [|T9l , and partial evaluation lfT0ll20l 

Dependence graphs record the dependencies between data in a computation and rely on a 
change -propagation algorithm to update the computation when the input is modified (e.g., ll9l[T4"ll). 
Dependence graphs are effective in some applications, e.g., syntax-directed computations but are 

'Since our theorems and lemmas concern given derivations (not the problem finding them, this does not constitute 
a problem for our results. 
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not general-purpose because change propagation does not update the dependence structure. Mem- 
oization (also called function caching) (e.g., IT191 PR [T3l0 applies to any purely functional program 
and therefore is more broadly applicable than static dependence graphs. This classic idea dating 
back to the late 1950's (8l [16l [17l yields efficient incremental computations when executions of 
a program with similar inputs perform similar function calls. It turns out, however, that even a 
small input modifications can prevent reuse via memoization, e.g., when they affect computations 
deep in the call tree [3|. Partial evaluation based approaches ||20l[T0l require the user to fix a par- 
tition of the input and specialize the program to speedup modifications to unfixed part faster. The 
main limitation of this approach is that it allows input modifications only within a predetermined 
partition. 

The semantics proposed here achieve efficient incremental computation by integrating a previ- 
ous generalization of dependence graphs that allow change propagation to modify the dependence 
structure £4] with memoization. Specifically it permits change propagation algorithm to re-use 
computations, even after the computation state is modified via mutations to memory. In contrast, 
conventional memoization permits re-use of the (unchanged) results of computations. 

The presented semantics forms the foundation for nearly all the followup work on self-adjusting 
computation. After its publication as a conference paper, the semantics have been realized as a 
Standard ML library [3 J and generalized to support imperative references 0. These results have 
then led to the development of the CEAL 0TJ and Delta ML languages, which provide direct 
language support for self-adjusting computation [15J. A relatively broad set of applications of the 
proposed techniques have also been investigated, including simpler computational benchmarks, 
more sophisticated applications in computational geometry and machine learning (e.g., B71 [6)). 
These applications show that the proposed approach can provide asymptotically optimal updates 
in theory while also delivering massive speedups in practice. In some cases, the techniques have 
enabled us to solve open problems that resisted traditional approaches. 

8 Conclusion 

We present general semantics for integrating memoization and change propagation where memo- 
ization is modeled as a non-deterministic oracle, and computation re-use is possible in the presence 
of mutation. Mutations arise for two reasons. First the semantics permit the store to be modified 
between two runs while allowing computations to be re-used between two such runs — this mod- 
els dynamic data changes. Second, the techniques for change propagation mutate the store by 
selectively re-executing pieces of the first run to derive the second run. The key idea behind the 
semantics is to enable re-using of computations themselves by adapting re-used computations to 
mutations via recursive applications of change propagation. Our main theorem shows that the se- 
mantics are consistent with deterministic, purely functional programming. By giving a general, 
oracle-based semantics for combining memoization and change propagation, we cover a variety 
of possible techniques for implementing self-adjusting-computation. By proving the semantics 
correct with minimal assumptions, we identify the properties that correct implementations must 
satisfy. The results reported in this work laid out the formal foundation on which other work on 
self-adjusting computation has built on. Indeed, the semantics have been subsequently generalized 
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to imperative programming constructs and been adapted and realized in strongly typed functional 
language as well as procedural, weakly typed languages. 
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A The Complete Twelf Proof 



oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo 

%% proof. twelf 

o. o 
o o 

%% This file contains the complete Twelf code for the consistency 

%% and correctness proofs for the AML semantics described in 

%% "A Consistent Semantics of Self-Ad justing Computation" 

%% by U. A. Acar, M. Blume, J. Donham. 

o. o 
o o 

ooo^ooooooooooooooooo 

0000000000000000000000000000000000000000000000000000000000000000000000 



0000000000000000000000000000000000000000000000000000000000000000000000 

%% false. elf 

000000000000000000000 

0000000000000000000000000000000000000000000000000000000000000000000000 

%% The uninhabited type, indicating a contradiction, 
false : type . 

0^00000000000000000000 

0000000000000000000000000000000000000000000000000000000000000000000000 
%% nat.elf 

0000000000000000000000000000000000000000000000000000000000000000000000 

%% Natural numbers . 



nat : type. %name nat _N. 

z : nat . 

s : nat -> nat . 

nat-eq : nat -> nat -> type. 



nat-eq_ : nat-eq N N. 

leq : nat -> nat -> type. 

leq-z : leq z _. 
leq-s : leq (s Nl) (s N2) 
<- leq Nl N2. 

sum : nat -> nat -> nat -> type. 
%mode sum +X +Y -Z . 

sum-z : sum z N N. 
sum-s : sum (s Nl) N2 (s N3) 
<- sum Nl N2 N3 . 
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%worlds () (sum _ _ _) . 

%total X (sum X ) . 

^reduces Y <= Z (sum _ Y Z) . 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
%% syntax. elf 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
%% Locations are just indices into a store. 



loc : type. %name loc _L . 

loc-z : loc. 

loc-s : loc -> loc. 

loc-neq : loc -> loc -> type. 



loc-neq-nill 



loc-neq-nil2 
loc-neq-cons , .. _ 
<- loc-neq LI L2 



loc-neq loc-z (loc-s L) . 

-s L) loc-z . 



loc-neq (loc-s L) loc-z. 
loc-neq (loc-s LI) (loc-s L2) 



%% Syntax of AML . 

val : type. %name val _V. 
es : type. %name es _Es. 
ec : type. %name ec _Ec. 



val-emp 
val-nat 
val-loc 
val-pr : 
val-inl 
val-inr 
val-f ns 
val-f nc 



val . 

nat -> val . 
loc -> val . 
val -> val -> val . 
val -> val . 
val -> val . 

(val -> val -> es) -> val, 
(val -> val -> ec) -> val. 



es-val : 
es-plus 
es-mod : 
es-memo 
es-app : 
es-let : 
es-letp 
es-case 



val -> es. 
: val -> val -> 
ec -> es. 
: es -> es. 
val -> val -> es . 
es -> (val -> 

: val -> (val -> val -> es) -> es 

-> es) -> (val -> es) 



es . 



es) -> es. 

-> val -> es 



val -> (val 



-> es 
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ec-wr : val -> ec . 

ec-read : val -> (val -> ec) -> ec. 

ec-memo : ec -> ec. 

ec-app : val -> val -> ec. 

ec-let : es -> (val -> ec) -> ec. 

ec-letp : val -> (val -> val -> ec) -> ec. 

ec-case : val -> (val -> ec) -> (val -> ec) -> ec, 

val-eq : val -> val -> type. 

val-eq_ : val-eq V V. 

val-neq : val -> val -> type. 

es-eq : es -> es -> type. 

es-eq_ : es-eq Es Es. 

ec-eq : ec -> ec -> type. 

ec-eq_ : ec-eq Ec Ec. 

var : val -> type. 

%block val-block : block {v : val}. 

%block var-block : block {v : val} {d : var v} . 



locset . elf 



>% Sets of locations. We represent them as lists of bits; lists which 
5% differ only by trailinq false bits are equivalent. 



loc-state : type, 
loc-present : loc-state. 
loc-absent : loc-state. 



loc- 


or 




loc- 


-or- 


-aa 


loc- 


-or- 


-px 


loc- 


-or- 


-xp 



loc-state -> loc-state -> loc-state -> type. 

: loc-or loc-absent loc-absent loc-absent. 

: loc-or loc-present _ loc-present. 

: loc-or _ loc-present loc-present . 



Is : type. %name Is _X. 
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ls-nil : Is. 

ls-cons : loc-state -> Is -> Is. 



%% check for empty set 
ls-empty : Is -> type, 
ls-empty-n : ls-empty ls-nil. 

ls-empty-a : ls-empty (ls-cons loc-absent X) 
<- ls-empty X. 

%% set equality 

ls-eq : Is -> Is -> type. 

ls-eq-nx : ls-eq ls-nil X 

<- ls-empty X. 
ls-eq-xn : ls-eq X ls-nil 

<- ls-empty X. 
ls-eq-cc : ls-eq (ls-cons P XI) (ls-cons P X2) 

<- ls-eq XI X2 . 

%% representation identity 
ls-id : Is -> Is -> type. 
ls-id_ : ls-id X X. 

%% X_l \subseteq X_2 
ls-subeq : Is -> Is -> type, 
ls-subeq-nx : ls-subeq ls-nil _. 
ls-subeq-xn : ls-subeq X ls-nil 
<- ls-empty X. 

ls-subeq-ax : ls-subeq (ls-cons loc-absent XI) (ls-cons _ X2) 
<- ls-subeq XI X2 . 

ls-subeq-pp : ls-subeq (ls-cons loc-present XI) (ls-cons loc-present X2) 
<- ls-subeq XI X2 . 

%% X_l \cup X_2 

ls-union : Is -> Is -> Is -> type, 
ls-un-nx : ls-union ls-nil X X. 
ls-un-xn : ls-union X ls-nil X. 

ls-un-cc : ls-union (ls-cons PI XI) (ls-cons P2 X2) (ls-cons P X) 
<- loc-or PI P2 P 
<- ls-union XI X2 X. 

%% X_l \cap X_2 = 

ls-disjoint : Is -> Is -> type, 

ls-dj-nx : ls-disjoint ls-nil _. 

ls-dj-xn : ls-disjoint _ ls-nil. 
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ls-dj-ac : ls-disjoint (ls-cons loc-absent X) (ls-cons _ X' 

<- ls-disjoint X X' . 
ls-dj-ca : ls-disjoint (ls-cons _ X) (ls-cons loc-absent X' 

<- ls-disjoint X X' . 

%% Set of a single location 
ls-sing : loc -> Is -> type. 

ls-sing-z : ls-sing loc-z (ls-cons loc-present ls-nil) . 
ls-sing-s : ls-sing (loc-s L) (ls-cons loc-absent S) 
<- ls-sing L S. 



% store. elf 

jooooooooo'i 

%% Stores mapping locations to values. We represent them as lists of 

%% value options, where the i'th element of the list is the value of 

%% location i in the store (or sv-free if the location is 

%% undefined) . As with location sets, stores differing only by trailing 

%% sv-free' s are equivalent. 

%% We choose the bitwise representations because it makes the lemmas 

%% of interest easier to prove; they are generally just an induction 

%% over the bits. 

st : type. %name st _S . 

sv : type. %name sv _SV. %% store value: either free or a value 

sv-free : sv. 
sv-val : val -> sv. 

sv-eq : sv -> sv -> type . 
sv-eq_ : sv-eq SV SV. 

st-nil : st. 

st-cons: sv -> st -> st . 

%% Are all locations empty? 
st-empty : st -> type, 
st-empty-n : st-empty st-nil. 
st-empty-e : st-empty (st-cons sv-free S) 
<- st-empty S. 

%% Store equality. (Could we get away with syntactic equality? Probably.) 
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st-eq : st -> st -> type, 
st-eq-nx : st-eq st-nil S 

<- st-empty S. 
st-eq-xn : st-eq S st-nil 

<- st-empty S. 
st-eq-cc : st-eq (st-cons SV1 SI) (st-cons SV2 S2) 

<- sv-eq SV1 SV2 

<- st-eq SI S2. 

%% \sigma [1 \leftarrow v] 

st-update : st -> loc -> val -> st -> type. 



st-up-nz : st-update st-nil loc-z V (st-cons (sv-val V) st-nil) . 
st-up-cz : st-update (st-cons _ S) loc-z V (st-cons (sv-val V) S) . 
st-up-ns : st-update st-nil (loc-s L) V (st-cons sv-free S) 

<- st-update st-nil L V S. 
st-up-cs : st-update (st-cons SV S) (loc-s L) V (st-cons SV S' ) 

<- st-update S L V S' . 

%% \sigma(l) 

st-lookup : st -> loc -> val -> type, 

st-lo-z : st-lookup (st-cons (sv-val V) _) loc-z V. 

st-lo-s : st-lookup (st-cons _ S) (loc-s L) V 
<- st-lookup S L V. 



st-sqsubeq-ex SI X S2 holds if for any location L allocated in SI with 
value V, either L is in X or S2 has value V at location L. 



st- 
st- 
st- 

st- 

st- 

st- 

st- 



st 



This is rather painful because of the treatment of ls-nil and st-nil 
in the 2nd and 3rd arguments, respectively, 
sqsubeq-ex : st -> Is -> st -> type, 
ssee-nxx : st-sqsubeq-ex st-nil _ _. 
ssee-fnn : st-sqsubeq-ex (st-cons sv-free SI') 
<- st-sqsubeq-ex SI' ls-nil st-nil. 

(st-cons sv-free SI') 
X' st-nil. 

(st-cons sv-free SI') ls-nil (st-cons 
ls-nil S2' . 

(st-cons sv-free SI') (ls-cons _ X') (st-cons _ S2' ) 
X' S2' . 



-ssee-fcn : st-sqsubeq-ex 

<- st-sqsubeq-ex SI' 
-ssee-fnc : st-sqsubeq-ex 

<- st-sqsubeq-ex SI' 
-ssee-fcc : st-sqsubeq-ex 

<- st-sqsubeq-ex SI' 
-ssee-vnv : st-sqsubeq-ex 
( st-cons 

<- val-eq VI V2 

<- st-sqsubeq-ex SI' ls-nil S2' 
-ssee-vav : st-sqsubeq-ex 



ls-nil st-nil 



(ls-cons _ X' ) st-nil 



S2' ) 



(sv-val VI) SI') ls-nil (st-cons (sv-val V2) S2') 
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(st-cons (sv-val VI) SI') (ls-cons loc-absent X') 
(st-cons (sv-val V2) S2') 
<- val-eq VI V2 
<- st-sqsubeq-ex SI' X' S2' . 
st-ssee-cpn : st-sqsubeq-ex (st-cons _ SI' ) (ls-cons loc-present X' ) st-nil 

<- st-sqsubeq-ex SI' X' st-nil. 
st-ssee-cpc : st-sqsubeq-ex 

(st-cons _ SI' ) (ls-cons loc-present X' ) 
(st-cons _ S2' ) 
<- st-sqsubeq-ex SI' X' S2' . 



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
%% trace. elf 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
%% Evaluation traces, and their allocated locations. 



trs : type. %name trs _Ts . 
trc : type. %name trc _Tc. 



trs-nil : trs. 

trs-mod : loc -> trc -> trs. 
trs-let : trs -> trs -> trs. 



trc-wr : val -> trc. 
trc-let : trs -> trc -> trc. 

trc-rd : loc -> val -> (val -> ec) -> trc -> trc. 



trs-gen : trs -> Is -> type, 
trc-gen : trc -> Is -> type. 

trs-gen-nil : trs-gen trs-nil ls-nil. 
trs-gen-mod : trs-gen (trs-mod L Tc) X1+X2 

<- trc-gen Tc XI 

<- ls-sing L X2 

<- ls-union XI X2 X1+X2. 
trs-gen-let : trs-gen (trs-let Tsl Ts2) X 

<- trs-gen Tsl XI 

<- trs-gen Ts2 X2 

<- ls-union XI X2 X. 



trc-gen-wr : trc-gen (trc-wr V) ls-nil. 
trc-gen-let : trc-gen (trc-let Tsl Tc2) X 

<- trs-gen Tsl XI 

<- trc-gen Tc2 X2 
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<- ls-union XI X2 X. 
trc-gen-rd : trc-gen (trc-rd L V Ec Tc) X 
<- trc-gen Tc X. 



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
%% wf-ex.elf 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
%% Well-formed expressions (with lifts and reachable locations) 



wf-val : val -> st 
wf-es : es -> st -> 
wf-ec : ec -> st -> 

wf-val-var : wf-val 
<- var V. 



-> val -> Is -> type, 
es -> Is -> type, 
ec -> Is -> type. 

V S V ls-nil 



wf-val-emp : wf-val val-emp S val-emp ls-nil. 
wf-val-nat : wf-val (val-nat N) S (val-nat N) ls-nil. 
wf-val-loc : wf-val (val-loc L) S V X1+X2 

<- st-lookup S L V 

<- wf-val V S V XI 

<- ls-sing L X2 

<- ls-union XI X2 X1+X2. 
wf-val-pr : wf-val (val-pr VI V2) S (val-pr VI' V2') X1+X2 

<- wf-val VI S VI' XI 

<- wf-val V2 S V2' X2 

<- ls-union XI X2 X1+X2. 
wf-val-inl : wf-val (val-inl V) S (val-inl V ) X 

<- wf-val V S V X. 
wf-val-inr : wf-val (val-inr V) S (val-inr V ) X 

<- wf-val V S V X. 
wf-val-fns : wf-val (val-fns Es) S (val-fns Es' ) X 

<- ({vl} {dl : var vl } 
{v2 } {d2 : var v2 } 
wf-es (Es vl v2) S (Es' vl v2) X) . 
wf-val-fnc : wf-val (val-fnc Ec) S (val-fnc Ec' ) X 

<- ({vl} {dl : var vl } 

{v2 } {d2 : var v2 } 
wf-ec (Ec vl v2) S (Ec' vl v2) X) . 



wf-es-val : wf-es (es-val V) S (es-val V ) X 

<- wf-val V S V X. 
wf-es-plus : wf-es (es-plus VI V2 ) S (es-plus VI' V2') X 

<- wf-val VI S VI' XI 

<- wf-val V2 S V2' X2 
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<- ls-union XI X2 X. 
wf-es-mod : wf-es (es-mod Ec) S (es-mod Ec' ) X 

<- wf-ec Ec S Ec' X. 
wf-es-app : wf-es (es-app VI V2) S (es-app VI' V2' ) X 

<- wf-val VI S VI' XI 

<- wf-val V2 S V2' X2 

<- ls-union XI X2 X. 
wf-es-let : wf-es (es-let Esl Es2) S (es-let Esl' Es2' ) X 

<- wf-es Esl S Esl' XI 

<- ( {v} {d : var v} 
wf-es (Es2 v) S (Es2' v) X2) 

<- ls-union XI X2 X. 
wf-es-letp : wf-es (es-letp V Es) S (es-letp V Es' ) X 

<- wf-val V S V XI 

<- ( { vl } {dl : var vl } 
{v2 } {d2 : var v2 } 
wf-es (Es vl v2) S (Es' vl v2) X2) 

<- ls-union XI X2 X. 
wf-es-case : wf-es (es-case V Esl Es2) S (es-case V Esl' Es2') X 

<- wf-val V S V XO 

<- ( {v} {d : var v} 
wf-es (Esl v) S (Esl' v) XI) 

<- ( {v} {d : var v} 
wf-es (Es2 v) S (Es2' v) X2) 

<- ls-union XI X2 X12 

<- ls-union X12 XO X. 
wf-es-memo : wf-es (es-memo Es) S (es-memo Es' ) X 

<- wf-es Es S Es' X. 



wf-ec-wr : wf-ec (ec-wr V) S (ec-wr V ) X 

<- wf-val V S V X. 
wf-ec-read : wf-ec (ec-read V Ec) S (ec-read V Ec' ) X 

<- wf-val V S V XI 

<- ( {v} {d : var v} 
wf-ec (Ec v) S (Ec' v) X2) 

<- ls-union XI X2 X. 
wf-ec-app : wf-ec (ec-app VI V2) S (ec-app VI' V2' ) X 

<- wf-val VI S VI' XI 

<- wf-val V2 S V2' X2 

<- ls-union XI X2 X. 
wf-ec-let : wf-ec (ec-let Esl Ec2) S (ec-let Esl' Ec2' ) X 

<- wf-es Esl S Esl' XI 

<- ( {v} {d : var v} 
wf-ec (Ec2 v) S (Ec2' v) X2) 

<- ls-union XI X2 X. 
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wf-ec-letp : wf-ec (ec-letp V Ec) S (ec-letp V Ec' ) X 
<- wf-val V S V XI 
<- ( { vl } {dl : var vl } 
{v2 } {d2 : var v2 } 
wf-ec (Ec vl v2) S (Ec' vl v2 ) X2 ) 
<- ls-union XI X2 X. 
wf-ec-case : wf-ec (ec-case V Eel Ec2) S (ec-case V Eel' Ec2') X 
<- wf-val V S V XO 
<- ( {v} {d : var v} 
wf-ec (Eel v) S (Eel' v) XI) 

<- ( {v} {d : var v} 
wf-ec (Ec2 v) S (Ec2' v) X2) 
<- ls-union XI X2 X12 
<- ls-union X12 XO X. 
wf-ec-memo : wf-ec (ec-memo Ec) S (ec-memo Ec' ) X 
<- wf-ec Ec S Ec' X. 



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
%% eval.elf 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
%% General, well-formed, and clean evaluations. 

evals : st -> es -> val -> st -> trs -> type, 
evalc : st -> loc -> ec -> st -> trc -> type. 

wf-evals : es -> Is -> Is -> evals _____ -> type, 
wf-evalc : ec -> Is -> Is -> Is -> evalc _____-> type. 

wf-evals_ : wf-evals Es' R G (Devals : evals S Es V S' Ts) 
<- wf-es Es S Es' R 
<- trs-gen Ts G 
<- ls-disjoint R G. 

wf-evalc_ : wf-evalc Ec' R G X (Devalc : evalc S L Ec S' Tc) 
<- wf-ec Ec S Ec' R 
<- trc-gen Tc G 
<- ls-disjoint R G 
<- ls-sing L X 
<- ls-disjoint X R 
<- ls-disjoint X G. 

cps : st -> trs -> st -> trs -> type. 

epe : st -> loc -> trc -> st -> trc -> type. 
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evals-val : evals S (es-val V) V S trs-nil. 

evals-plus : evals S (es-plus (val-nat Nl) (val-nat N2)) (val-nat N3) S trs-nil 

<- sum Nl N2 N3 . 
evals-mod : evals S (es-mod Ec) (val-loc L) S' (trs-mod L Tc) 

<- evalc S L Ec S' Tc 

<- trc-gen Tc G 

<- ls-sing L X 

<- ls-disjoint X G. 
evals-memo-miss : evals S (es-memo Es) V S' Ts 

<- evals S Es V S' Ts . 



%% can we mix backward arrows with Pi's? 
evals-memo-hit : cps S Tsl S' Ts 

-> {Devals : evals SI Es V SI' Tsl} 
wf-evals Es' R G Devals 

-> evals S (es-memo Es) V S' Ts . 



evals-app : evals S (es-app (val-fns Es) V2) V S' Ts 

<- evals S (Es (val-fns Es) V2) V S' Ts . 
evals-let : evals S (es-let Esl Es2) V2 S2 (trs-let Tsl Ts2) 

<- evals S Esl VI SI Tsl 

<- evals SI (Es2 VI) V2 S2 Ts2 

<- trs-gen Tsl Gl 

<- trs-gen Ts2 G2 

<- ls-disjoint Gl G2 . 
evals-letp : evals S (es-letp (val-pr VI V2) Es) V S' Ts 

<- evals S (Es VI V2) V S' Ts . 
evals-case-inl : evals S (es-case (val-inl V) Esl Es2) V S' Ts 

<- evals S (Esl V) V S' Ts . 
evals-case-inr : evals S (es-case (val-inr V) Esl Es2) V S' Ts 

<- evals S (Es2 V) V S' Ts . 

evalc-write : evalc S L (ec-wr V) S' (trc-wr V) 

<- st-update S L V S' . 
evalc-read : evalc S L' (ec-read (val-loc L) Ec) S' (trc-rd L V Ec Tc) 

<- st-lookup S L V 

<- evalc S L' (Ec V) S' Tc. 
evalc-memo-miss : evalc S L (ec-memo Ec) S' Tc 

<- evalc S L Ec S' Tc . 



%% can we mix backward arrows with Pi's? 
evalc-memo-hit : cpc S L Tel S' Tc 

-> {Devalc : evalc SI L Ec SI' Tel} 
wf-evalc Ec' R G X Devalc 

-> evalc S L (ec-memo Ec) S' Tc . 
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evalc-app : evalc S L (ec-app (val-fnc Ec) V2) S' Tc 

<- evalc S L (Ec (val-fnc Ec) V2) S' Tc . 
evalc-let : evalc S L (ec-let Esl Ec2) S2 (trc-let Tsl Tc2) 

<- evals S Esl V SI Tsl 

<- evalc SI L (Ec2 V) S2 Tc2 

<- trs-gen Tsl Gl 

<- trc-gen Tc2 G2 

<- ls-dis joint Gl G2 . 
evalc-letp : evalc S L (ec-letp (val-pr VI V2) Ec) S' Tc 

<- evalc S L (Ec VI V2) S' Tc . 
evalc-case-inl : evalc S L (ec-case (val-inl V) Eel Ec2) S' Tc 

<- evalc S L (Eel V) S' Tc. 
evalc-case-inr : evalc S L (ec-case (val-inr V) Eel Ec2) S' Tc 

<- evalc S L (Ec2 V) S' Tc. 

cps-nil : cps S trs-nil S trs-nil. 

cps-mod : cps S (trs-mod L Tc) S' (trs-mod L Tc' ) 

<- epe S L Tc S' Tc' 

<- trc-gen Tc' G 

<- ls-sing L X 

<- ls-disjoint X G. 
cps-let : cps S (trs-let Tsl Ts2) S" (trs-let Tsl' Ts2') 

<- cps S Tsl S' Tsl' 

<- cps S' Ts2 S' ' Ts2' 

<- trs-gen Tsl' Gl 

<- trs-gen Ts2' G2 

<- ls-disjoint Gl G2 . 

epe-write : epe S L (trc-wr V) S' (trc-wr V) 

<- st-update S L V S' . 
cpc-let : epe S L' (trc-let Tsl Tc2) S" (trc-let Tsl' Tc2') 

<- cps S Tsl S' Tsl' 

<- epe S' L' Tc2 S' ' Tc2' 

<- trs-gen Tsl' Gl 

<- trc-gen Tc2' G2 

<- ls-disjoint Gl G2 . 
epe-read/noch : epe S L (trc-rd L' V Ec Tc) S' (trc-rd L' V Ec Tc' ) 

<- st-lookup S L' V 

<- epe S L Tc S' Tc' . 
epe-read/ch : epe S L (trc-rd L' V Ec Tc) S' (trc-rd L' V Ec Tc' ) 

<- st-lookup S L' V 

<- val-neq V V 

<- evalc S L (Ec V ) S' Tc' . 
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cln-evals : evals _____-> type, 
cln-evalc : evalc _____-> type. 



cln-evals-val : cln-evals evals-val. 
cln-evals-plus : cln-evals (evals-plus _) . 
cln-evals-mod : cln-evals (evals-mod _ _ _ D) 

<- cln-evalc D. 
cln-evals-miss : cln-evals (evals-memo-miss D) 

<- cln-evals D. 
cln-evals-app : cln-evals (evals-app D) 

<- cln-evals D. 
cln-evals-let : cln-evals (evals-let _ _ _ D2 Dl) 

<- cln-evals Dl 

<- cln-evals D2 . 
cln-evals-letp : cln-evals (evals-letp D) 

<- cln-evals D. 
cln-evals-inl : cln-evals (evals-case-inl D) 

<- cln-evals D. 
cln-evals-inr : cln-evals (evals-case-inr D) 

<- cln-evals D. 

cln-evalc-write : cln-evalc (evalc-write _) . 
cln-evalc-read : cln-evalc (evalc-read D _) 

<- cln-evalc D. 
cln-evalc-miss : cln-evalc (evalc-memo-miss D) 

<- cln-evalc D. 
cln-evalc-app : cln-evalc (evalc-app D) 

<- cln-evalc D. 
cln-evalc-let : cln-evalc (evalc-let _ _ _ D2 Dl) 

<- cln-evals Dl 

<- cln-evalc D2 . 
cln-evalc-letp : cln-evalc (evalc-letp D) 

<- cln-evalc D. 
cln-evalc-inl : cln-evalc (evalc-case-inl D) 

<- cln-evalc D. 
cln-evalc-inr : cln-evalc (evalc-case-inr D) 

<- cln-evalc D. 
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oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo 

%% pure. elf 

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo 

o. o. 
o o 

%% pure. elf 

%% The "pure" semantics 

o. o. 
o o 

%% pure evaluation for stable and changeable expressions 
evals-pure : es -> val -> type, 
evalc-pure : ec -> val -> type. 

%% stable expressions. 

evals-pure-val : evals-pure (es-val V) V. 

evals-pure-plus : evals-pure (es-plus (val-nat Nl) (val-nat N2)) (val-nat N3) 
<- sum Nl N2 N3 . 

evals-pure-mod : evals-pure (es-mod E) V 
<- evalc-pure E V. 

evals-pure-memo : evals-pure (es-memo E) V 
<- evals-pure E V. 

evals-pure-app : evals-pure (es-app (val-fns Es) VI) V2 
<- evals-pure (Es (val-fns Es) VI) V2 . 



evals-pure-let : evals-pure (es-let Esl Es2) V2 
<- evals-pure Esl VI 
<- evals-pure (Es2 VI) V2 . 

evals-pure-letp : evals-pure (es-letp (val-pr VI V2) Es) V 
<- evals-pure (Es VI V2) V. 

evals-pure-case-inl : evals-pure (es-case (val-inl VI) Esl Es2) V2 
<- evals-pure (Esl VI) V2 . 

evals-pure-case-inr : evals-pure (es-case (val-inr VI) Esl Es2) V2 
<- evals-pure (Es2 VI) V2 . 

%% changeable expressions. 

evalc-pure-write : evalc-pure (ec-wr V) V. 
evalc-pure-read : evalc-pure (ec-read VI Ec) V2 
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<- evalc-pure (Ec VI) V2 . 



evalc-pure-memo : evalc-pure (ec-memo Ec) V 
<- evalc-pure Ec V. 



evalc-pure-app : evalc-pure (ec-app (val-fnc Ec) VI) V2 
<- evalc-pure (Ec (val-fnc Ec) VI) V2 . 

evalc-pure-let : evalc-pure (ec-let Es Ec) V2 
<- evals-pure Es VI 
<- evalc-pure (Ec VI) V2 . 

evalc-pure-letp : evalc-pure (ec-letp (val-pr VI V2) Ec) V 
<- evalc-pure (Ec VI V2) V. 

evalc-pure-case-inl : evalc-pure (ec-case (val-inl VI) Eel Ec2) V2 
<- evalc-pure (Eel VI) V2 . 

evalc-pure-case-inr : evalc-pure (ec-case (val-inr VI) Eel Ec2) V2 
<- evalc-pure (Ec2 VI) V2 . 



% nat-lemmas . thm 



leq-refl : {N} leq N N -> type. 
%mode leq-refl +X1 -X2 . 

- : leq-refl z leq-z . 

- : leq-refl (s N) (leq-s Dleq) 

<- leq-refl N Dleq. 

%worlds () (leq-refl _ _) . 
%total D (leq-refl D _) . 



leq-refl-s : { N } leq N (s N) -> type. 
%mode leq-refl-s +X1 -X2 . 

- : leq-refl-s z leq-z. 

- : leq-refl-s (s N) (leq-s Dleq) 

<- leq-refl-s N Dleq. 
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%worlds () (leq-refl-s _ _) . 
%total D (leq-refl-s D _) . 

Q, Q. 
O O 

sum-id : {N} sum N z N -> type. 
%mode sum-id +N -S . 

- : sum-id z sum-z. 

- : sum-id (s N) (sum-s S) <- sum-id N S. 

%worlds () (sum-id _ _) . 
%total N (sum-id N _) . 

Q, Q, 
O O 

sum-inc : sum X Y Z -> sum X (s Y) (s Z) -> type 
%mode sum-inc +S1 -S2 . 

- : sum-inc sum-z sum-z . 

- : sum-inc (sum-s SI) (sum-s S2) <- sum-inc SI 

%worlds () (sum-inc _ _) . 
%total S (sum-inc S _) . 

Q, Q. 
O O 

sum-commutes : sum X Y Z -> sum Y X Z -> type. 
%mode sum-commutes +S1 -S2 . 

sum-commutes-z : sum-commutes sum-z S' 

<- sum-id _ S' . 
sum-commutes-s : sum-commutes (sum-s S) S' ' 

<- sum-commutes S S' 

<- sum-inc S' S' ' . 

%worlds () (sum-commutes _ _) . 
%total S (sum-commutes S _) . 

O. Q. 
O O 

sum-reduces : {X} {Y} {Z} sum X Y Z -> type. 
%mode sum-reduces +X +Y +Z +S. 
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sum-reduces-z : sum-reduces z Y Y sum-z . 
sum-reduces-s : sum-reduces (s X) Y (s Z) (sum-s S) 
<- sum-reduces X Y Z S. 

%worlds () (sum-reduces ____). 
%total S (sum-reduces _ _ _ S) . 
%reduces Y <= Z (sum-reduces _ Y Z _) . 

O. Q. 
O O 

leq-trans : leq Nl N2 -> leq N2 N3 -> leq Nl N3 -> type. 
%mode leq-trans +X1 +X2 -X3 . 

- : leq-trans leq-z _ leq-z . 

- : leq-trans (leq-s Dleql) (leq-s Dleq2) (leq-s Dleq3) 

<- leq-trans Dleql Dleq2 Dleq3 . 

%worlds () (leq-trans _ _ _) . 
%total D (leq-trans D ) . 

g, g, 
o o 

leq-imp-sum : sum Nl N2 N3 -> leq Nl N3 -> type. 
%mode leq-imp-sum -XI +X2 . 

leq-imp-sum-z : leq-imp-sum sum-z leq-z. 
leq-imp-sum-s : leq-imp-sum (sum-s D) (leq-s D' ) 
<- leq-imp-sum D D' . 

%worlds () (leq-imp-sum _ _) . 
%total D (leq-imp-sum _ D) . 

Q, Q. 
O O 

leq-reduces : {X} {Y} leq X Y -> type. 
%mode leq-reduces +X +Y +L. 

- : leq-reduces X Y LE 

<- leq-imp-sum S LE 

<- sum-commutes S S' 

<- sum-reduces _ _ _ S' . 

%worlds () (leq-reduces _ _ _) . 
%total {} (leq-reduces _ _ _) . 
^reduces X <= Y (leq-reduces X Y _) . 
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o. o 
o o 



can-sum : {Nl} {N2} sum Nl N2 N3 -> type. 
%mode can-sum +X1 +X2 -X3 . 

- : can-sum z N sum-z . 

- : can-sum (s Nl) N2 (sum-s Dsum) 

<- can-sum Nl N2 Dsum. 

%worlds () (can-sum _ _ _) . 
%total D (can-sum D ) . 



sum-imp-leq : sum Nl N2 N3 -> leq Nl N3 -> leq N2 N3 -> type. 
%mode sum-imp-leq +X1 -X2 -X3 . 

- : sum-imp-leq sum-z leq-z Dleq 

<- leq-refl _ Dleq. 

- : sum-imp-leq (sum-s Dsum) (leq-s Dleql) Dleq2 

<- sum-imp-leq Dsum Dleql Dleq3 

<- leq-refl-s _ Dleq4 

<- leq-trans Dleq3 Dleq4 Dleq2 . 

%worlds () (sum-imp-leq _ _ _) . 
%total D (sum-imp-leq D _ _) . 



sum-monotone : leq Nl Nl' -> leq N2 N2' -> sum Nl N2 N3 -> sum Nl' N2' N3' -> leq I 
%mode sum-monotone +X1 +X2 +X3 +X4 -X5 . 

- : sum-monotone leq-z D12 sum-z Ds' D13 

<- sum-imp-leq Ds' _ Dl 
<- leq-trans D12 Dl D13. 

- : sum-monotone (leq-s Dll) D12 (sum-s Ds) (sum-s Ds' ) (leq-s D13) 

<- sum-monotone Dll D12 Ds Ds' D13. 

%worlds () (sum-monotone _____). 
%total D (sum-monotone D ____). 

sum-s-rh-r : sum A B S -> sum A (s B) (s S) -> type. 
%mode sum-s-rh-r +D1 -D2 . 
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sum-s-rh-r sum-z sum-z. 
sum-s-rh-r (sum-s D) (sum- 
<- sum-s-rh-r D D' . 



s D' ) 



%worlds () (sum-s-rh-r _ _) . 
%total D (sum-s-rh-r D _) . 

sum-s-rh-1 : sum A B S -> sum A (s B) (s S) -> type. 
%mode sum-s-rh-1 -Dl +D2 . 

- : sum-s-rh-1 sum-z sum-z. 

- : sum-s-rh-1 (sum-s D) (sum-s D' ) 

<- sum-s-rh-1 D D' . 

%worlds () (sum-s-rh-1 _ _) . 
%total D (sum-s-rh-1 _ D) . 

sum-subsums : sum Nl N2 N1+N2 

-> sum N3 N4 N3+N4 
-> sum N1+N2 N3+N4 N1+N2+N3+N4 
-> sum Nl N3 N1+N3 
-> sum N2 N4 N2+N4 

o. o 
o o 

-> sum N1+N3 N2+N4 N1+N2+N3+N4 
-> type. 

%mode sum-subsums +X1 +X2 +X3 +X4 +X5 -X6. 

- : sum-subsums sum-z Ds34 sum-z sum-z sum-z Ds34. 

- : sum-subsums (sum-s Dsl2) Ds34 (sum-s Dsl2+34) (sum-s Dsl3) Ds24 

(sum-s Dsl3+24) 

<- sum-subsums Dsl2 Ds34 Dsl2+34 Dsl3 Ds24 Dsl3+24. 

- : sum-subsums Dsl2' Ds34 (sum-s Dsl2+34) Dsl3 (sum-s Ds24) 

Dsl3+2' 4 

<- sum-s-rh-1 Dsl2 Dsl2' 

<- sum-subsums Dsl2 Ds34 Dsl2+34 Dsl3 Ds24 Dsl3+24 
<- sum-s-rh-r Dsl3+24 Dsl3+2'4. 

%worlds () (sum-subsums ______). 

%total {D5 Dl} (sum-subsums Dl D5 _) . 
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nat-eq-s : nat-eq Nl N2 -> nat-eq (s Nl) (s N2) -> type. 

%mode nat-eq-s +X1 -X2 . 

- : nat-eq-s nat-eq_ nat-eq_. 

%worlds () (nat-eq-s _ _) . 

%total { } (nat-eq-s _ _) . 



sum-fun : 

sum Nl N2 N3 -> 
sum Nl N2 N3' -> 

o. o. 
o o 

nat-eq N3 N3' -> 
type . 

%mode sum-fun +X1 +X2 -X3 . 

- : sum-fun sum-z sum-z nat-eq_. 

- : sum-fun (sum-s Dsum) (sum-s Dsum' ) Deq' 

<- sum-fun Dsum Dsum' Deq' ' 
<- nat-eq-s Deq' ' Deq' . 

%worlds () (sum-fun _ _ _) . 
%total D (sum-fun D ) . 



%% locset-lemmas . thm 

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo 

can-loc-or : {PI} {P2} loc-or PI P2 P -> type. 
%mode can-loc-or +P1 +P2 -P. 

can-loc-or _ _ loc-or-aa. 
can-loc-or _ _ loc-or-px. 
can-loc-or _ _ loc-or-xp. 



%worlds () (can-loc-or _ _ _) 
%total P (can-loc-or P ) . 



can-ls-union : 
{XI} {X2} 

o. o. 
o o 

ls-union XI X2 X3 
type. 
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%mode can-ls-union +X1 +X2 -X3 . 



- : can-ls-union ls-nil _ ls-un-nx. 

- : can-ls-union _ ls-nil ls-un-xn. 

- : can-ls-union (ls-cons PI XI) (ls-cons P2 X2 ) (ls-un-cc U 0) 

<- can-ls-union XI X2 U 
<- can-loc-or PI P2 0. 

%worlds () (can-ls-union _ _ _) . 
%total D (can-ls-union D _ _) . 

Q, Q. 
O O 

can-ls-sing : 
{ L } 

O. Q. 
O O 

ls-sing L X -> 
type . 

%mode can-ls-sing +X1 -X2 . 

- : can-ls-sing loc-z ls-sing-z . 

- : can-ls-sing (loc-s L) (ls-sing-s Sg) <- can-ls-sing L Sg. 

%worlds () (can-ls-sing _ _) . 
%total L (can-ls-sing L _) . 

O. Q. 
O O 

loc-or-commutes : 
loc-or A B C -> 

o, o 
o o 

loc-or B A C -> 
type . 

%mode loc-or-commutes +X -Y . 

- : loc-or-commutes loc-or-aa loc-or-aa. 

- : loc-or-commutes loc-or-xp loc-or-px. 

- : loc-or-commutes loc-or-px loc-or-xp. 

%worlds () (loc-or-commutes _ _) . 
%total {} (loc-or-commutes _ _) . 

Q, Q. 
O O 

ls-union-commutes : 
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ls-union X Y Z -> 
ls-union Y X Z -> 
type. 

%mode ls-union-commutes +X1 -X2 . 

- : ls-union-commutes ls-un-nx ls-un-xn. 

- : ls-union-commutes ls-un-xn ls-un-nx. 

- : ls-union-commutes (ls-un-cc U 0) (ls-un-cc U' 0' ) 

<- loc-or-commutes 0' 
<- ls-union-commutes U U' . 

%worlds () (ls-union-commutes _ _) . 
%total D (ls-union-commutes D _) . 

O. Q. 
O O 

ls-subeq-ref 1 : 
{X} 

O. Q. 
O O 

ls-subeq X X -> 
type. 

%mode ls-subeq-ref 1 +X1 -X2 . 

- : ls-subeq-ref 1 ls-nil ls-subeq-nx. 

- : ls-subeq-ref 1 (ls-cons loc-absent X) (ls-subeq-ax D) 

<- ls-subeq-ref 1 X D. 

- : ls-subeq-ref 1 (ls-cons loc-present X) (ls-subeq-pp D) 

<- ls-subeq-ref 1 X D. 

%worlds () ( ls-subeq-ref 1 _ _) . 
%total D (ls-subeq-ref 1 D _) . 

g, q, 
o o 

1 s -union- imp- subeq : 
ls-union SI S2 S3 -> 

o, o, 
o o 

ls-subeq SI S3 -> 
ls-subeq S2 S3 -> 
type . 

%mode ls-union-imp-subeq +X1 -X2 -X3 . 

- : ls-union-imp-subeq ls-un-nx ls-subeq-nx SE2 

<- ls-subeq-ref 1 _ SE2 . 

- : ls-union-imp-subeq ls-un-xn SE1 ls-subeq-nx 
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<- ls-subeq-ref 1 _ SE1 . 

- : ls-union-imp-subeq 

(ls-un-cc Un loc-or-aa) 
(ls-subeq-ax SE1) 
(ls-subeq-ax SE2) 

<- ls-union-imp-subeq Un SE1 SE2 . 

- : ls-union-imp-subeq 

(ls-un-cc Un loc-or-px) 
(ls-subeq-pp SE1) 
(ls-subeq-ax SE2) 

<- ls-union-imp-subeq Un SE1 SE2 . 

- : ls-union-imp-subeq 

(ls-un-cc Un loc-or-px) 
(ls-subeq-pp SE1) 
(ls-subeq-pp SE2) 

<- ls-union-imp-subeq Un SE1 SE2 . 

- : ls-union-imp-subeq 

(ls-un-cc Un loc-or-xp) 
(ls-subeq-ax SE1) 
(ls-subeq-pp SE2) 

<- ls-union-imp-subeq Un SE1 SE2 . 

- : ls-union-imp-subeq 

(ls-un-cc Un loc-or-xp) 
(ls-subeq-pp SE1) 
(ls-subeq-pp SE2) 

<- ls-union-imp-subeq Un SE1 SE2 . 
%worlds () (ls-union-imp-subeq _ _ _) . 
%total D (ls-union-imp-subeq D _ _) . 

o. o. 
o o 

ls-emp-impl-subeq-any : {Y} ls-empty X -> ls-subeq X Y -> type. 
%mode ls-emp-impl-subeq-any +Y +E -SE. 

- : ls-emp-impl-subeq-any ls-nil E (ls-subeq-xn E) . 

- : ls-emp-impl-subeq-any _ ls-empty-n ls-subeq-nx. 

- : ls-emp-impl-subeq-any (ls-cons _ X) (ls-empty-a E) (ls-subeq-ax SE) 

<- ls-emp-impl-subeq-any X E SE . 

%worlds () (ls-emp-impl-subeq-any _ _ _) . 
%total D (ls-emp-impl-subeq-any _ D _) . 

Q, Q. 
O O 

ls-subeq-emp-impl-emp : ls-subeq X Y -> ls-empty Y -> ls-empty X -> type. 
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%mode ls-subeq-emp-impl-emp +X1 +X2 -X3 . 



ls-subeq-emp-impl-emp ls-subeq-nx _ ls-empty-n . 
ls-subeq-emp-impl-emp (ls-subeq-xn E) ls-empty-n E. 

ls-subeq-emp-impl-emp (ls-subeq-ax SE) (ls-empty-a E) (ls-empty-a E' ) 
<- ls-subeq-emp-impl-emp SE E E' . 



%worlds () (ls-subeq-emp-impl-emp _ _ _) 
%total D (ls-subeq-emp-impl-emp _ D _) . 



ls-subeq-trans : 
ls-subeq XI X2 -> 
ls-subeq X2 X3 -> 

o. o. 
o o 

ls-subeq XI X3 -> 
type . 

%mode ls-subeq-trans +X1 +X2 -X3 . 

- : ls-subeq-trans ls-subeq-nx _ ls-subeq-nx. 

- : ls-subeq-trans D ls-subeq-nx D' 

<- ls-subeq-emp-impl-emp D ls-empty-n E' 
<- ls-emp-impl-subeq-any _ E' D' . 

- : ls-subeq-trans D (ls-subeq-xn E) D' 

<- ls-subeq-emp-impl-emp DEE' 
<- ls-emp-impl-subeq-any _ E' D' . 

- : ls-subeq-trans (ls-subeq-ax D12) (ls-subeq-ax D23) (ls-subeq-ax D13) 

<- ls-subeq-trans D12 D23 D13. 

- : ls-subeq-trans (ls-subeq-ax D12) (ls-subeq-pp D23) (ls-subeq-ax D13) 

<- ls-subeq-trans D12 D23 D13. 

- : ls-subeq-trans (ls-subeq-pp D12) (ls-subeq-pp D23) (ls-subeq-pp D13) 

<- ls-subeq-trans D12 D23 D13. 

%worlds () (ls-subeq-trans _ _ _) . 
%total D (ls-subeq-trans D _ _) . 



ls-union-monotone-1 : 
ls-union X Y Z -> 
ls-subeq X X' -> 
ls-union X' Y Z' -> 

o. o 
o o 

ls-subeq Z Z' -> 
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type . 

%mode ls-union-monotone-1 +X1 +X2 +X3 -X4 . 
%% if Y = ls-nil, then X = Z and X' = Z' 

- : ls-union-monotone-1 

(_ : ls-union _ ls-nil _) 
SE 

SE. 

%% now Y = (ls-cons _ _) 

%% consider X = ls-nil, so Y = Z 

- : ls-union-monotone-1 

ls-un-nx 

Un 
SE 

<- ls-union-imp-subeq Un _ SE . 
%% now Y = (ls-cons _ _) and X = (ls-cons _ _) 
%% now if X' = ls-nil, X must be empty. . . 

- : ls-union-monotone-1 

(ls-un-cc Un loc-or-aa) 
(ls-subeq-xn (ls-empty-a E) ) 
ls-un-nx 
(ls-subeq-ax SE) 

<- ls-union-monotone-1 Un (ls-subeq-xn E) ls-un-nx SE . 

- : ls-union-monotone-1 

(ls-un-cc Un loc-or-xp) 
(ls-subeq-xn (ls-empty-a E) ) 
ls-un-nx 
(ls-subeq-pp SE) 

<- ls-union-monotone-1 Un (ls-subeq-xn E) ls-un-nx SE . 
%% finally, if X' = (ls-cons ) . . . 

- : ls-union-monotone-1 

(ls-un-cc Un _) 
(ls-subeq-ax SE) 
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(ls-un-cc Un' loc-or 

(ls-subeq-ax SE' ) 

<- ls-union-monotone 



-aa) 

-1 Un SE Un' SE' 



- : ls-union-monotone-1 

(ls-un-cc Un _) 
(ls-subeq-ax SE) 
(ls-un-cc Un' loc-or-xp) 
(ls-subeq-pp SE' ) 

<- ls-union-monotone-1 Un SE Un' SE' 

- : ls-union-monotone-1 

(ls-un-cc Un _) 
(ls-subeq-ax SE) 
(ls-un-cc Un' loc-or-px) 
(ls-subeq-pp SE' ) 

<- ls-union-monotone-1 Un SE Un' SE' 

- : ls-union-monotone-1 

(ls-un-cc Un _) 
(ls-subeq-ax SE) 
(ls-un-cc Un' loc-or-px) 
(ls-subeq-ax SE' ) 

<- ls-union-monotone-1 Un SE Un' SE' 

- : ls-union-monotone-1 

(ls-un-cc Un _) 
(ls-subeq-pp SE) 
(ls-un-cc Un' _) 
(ls-subeq-pp SE' ) 

<- ls-union-monotone-1 Un SE Un' SE' 

- : ls-union-monotone-1 

(ls-un-cc Un _) 
(ls-subeq-pp SE) 
(ls-un-cc Un' _) 
(ls-subeq-pp SE' ) 

<- ls-union-monotone-1 Un SE Un' SE' 

%worlds () (ls-union-monotone-1 ____). 
%total D (ls-union-monotone-1 D _ _ _) . 



1 s-uni on-mono t one -r 
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ls-union X Y Z -> 
ls-subeq Y Y' -> 
ls-union X Y' Z' -> 

o. o 
o o 

ls-subeq Z Z' -> 
type . 

%mode ls-union-monotone-r +X1 +X2 +X3 -X4 . 

- : ls-union-monotone-r Un SE Un' SE' 

<- ls-union-commutes Un Unc 

<- ls-union-commutes Un' Unc' 

<- ls-union-monotone-1 Unc SE Unc' SE' . 

%worlds () (ls-union-monotone-r ____). 
%total {} (ls-union-monotone-r ____). 

Q, Q. 
O O 

ls-union-monotone : 
ls-union XI X2 X3 -> 
ls-subeq XI XI' -> 
ls-subeq X2 X2' -> 
ls-union XI' X2' X3' -> 

o. o 
o o 

ls-subeq X3 X3' -> 
type . 

%mode ls-union-monotone +X1 +X2 +X3 +X4 -X5 . 

- : ls-union-monotone Un SE1 SE2 Un' SE3 

<- can-ls-union _ _ Unl'2 

<- ls-union-monotone-1 Un SE1 Unl'2 SE1 

<- ls-union-monotone-r Unl'2 SE2 Un' SEr 

<- ls-subeq-trans SE1 SEr SE3 . 

%worlds () (ls-union-monotone _____). 
%total {} (ls-union-monotone _____). 

Q, Q. 
O O 

ls-dis joint-commutes : 
ls-disjoint XI X2 -> 

o. o 
o o 

ls-disjoint X2 XI -> 
type . 

%mode ls-dis joint-commutes +X1 -X2 . 
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- : ls-dis joint-commutes ls-dj-nx ls-dj-xn. 

- : ls-dis joint-commutes ls-dj-xn ls-dj-nx. 

- : ls-dis joint-commutes (ls-dj-ac D) (ls-dj-ca D' ) 

<- ls-dis joint-commutes D D' . 

- : ls-dis joint-commutes (ls-dj-ca D) (ls-dj-ac D' ) 

<- ls-dis joint-commutes D D' . 

%worlds () ( ls-dis joint-commutes _ _) . 
%total D (ls-dis joint-commutes D _) . 

Q, Q. 
O O 

ls-emp-implies-d j : 

{Y} ls-empty X -> ls-disjoint X Y -> ls-disjoint Y X -> type. 
%mode ls-emp-implies-d j +Y +E -Dl -D2 . 

- : ls-emp-implies-d j _ ls-empty-n ls-dj-nx ls-dj-xn. 

- : ls-emp-implies-d j ls-nil _ ls-dj-xn ls-dj-nx. 

- : ls-emp-implies-d j 

(ls-cons _ Y) (ls-empty-a E) (ls-dj-ac Djl) (ls-dj-ca Dj2) 
<- ls-emp-implies-d j Y E Djl Dj2. 

%worlds () ( ls-emp-implies-d j ____). 
%total Y (ls-emp-implies-dj Y _ _ _) . 

Q, Q. 
O O 

ls-dis joint-resp-subeq : 
ls-disjoint XI X2 -> 
ls-subeq XI' XI -> 
ls-subeq X2' X2 -> 

o. o. 
o o 

ls-disjoint XI' X2' -> 
type . 

%mode ls-dis joint-resp-subeq +X1 +X2 +X3 -X4 . 

- : ls-dis joint-resp-subeq _ ls-subeq-nx _ ls-dj-nx. 

- : ls-dis joint-resp-subeq _ _ ls-subeq-nx ls-dj-xn. 

- : ls-dis joint-resp-subeq _ (ls-subeq-xn El) _ Dj 

<- ls-emp-implies-dj _ El Dj _. 

- : ls-dis joint-resp-subeq _ _ (ls-subeq-xn E2) Dj 



54 



<- ls-emp-implies-d j _ E2 _ Dj. 

- : ls-dis joint-resp-subeq 

(ls-dj-ac Dj) 
(ls-subeq-ax SE1) 
(ls-subeq-ax SE2) 
(ls-dj-ac D j ' ) 

<- ls-dis joint-resp-subeq Dj SE1 SE2 Dj'. 

- : ls-dis joint-resp-subeq 

(ls-dj-ac Dj) 
(ls-subeq-ax SE1) 
(ls-subeq-pp SE2) 
(ls-dj-ac D j ' ) 

<- ls-dis joint-resp-subeq Dj SE1 SE2 Dj' . 

- : ls-dis joint-resp-subeq 

(ls-dj-ca Dj) 
(ls-subeq-ax SE1) 
(ls-subeq-ax SE2) 
(ls-dj-ac D j ' ) 

<- ls-dis joint-resp-subeq Dj SE1 SE2 Dj'. 

- : ls-dis joint-resp-subeq 

(ls-dj-ca Dj) 
(ls-subeq-pp SE1) 
(ls-subeq-ax SE2) 
(ls-dj-ca D j ' ) 

<- ls-dis joint-resp-subeq Dj SE1 SE2 Dj'. 

%worlds () ( ls-dis joint-resp-subeq ____). 
%total D (ls-dis joint-resp-subeq D _ _ _) . 

O. Q. 
O O 

ls-union-emp-emp-emp : 

ls-union X Y Z -> ls-empty X -> ls-empty Y -> ls-empty Z -> type. 
%mode ls-union-emp-emp-emp +U +EX +EY -EZ . 

- : ls-union-emp-emp-emp _ ls-empty-n E E. 

- : ls-union-emp-emp-emp _ E ls-empty-n E. 

- : ls-union-emp-emp-emp 

(ls-un-cc Un _) (ls-empty-a X) (ls-empty-a Y) (ls-empty-a Z) 
<- ls-union-emp-emp-emp Un X Y Z . 
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%worlds () ( ls-union-emp-emp-emp 
%total D (ls-union-emp-emp-emp D 



_ _) • 



o. o. 
o o 

ls-emp-emp-eq : ls-empty X -> ls-empty Y -> ls-eq X Y -> type. 
%mode ls-emp-emp-eq +E1 +E2 -Eq. 

- : ls-emp-emp-eq ls-empty-n E2 (ls-eq-nx E2) . 

- : ls-emp-emp-eq El ls-empty-n (ls-eq-xn El) . 

- : ls-emp-emp-eq (ls-empty-a El) (ls-empty-a E2) (ls-eq-cc Eq) 

<- ls-emp-emp-eq El E2 Eq. 

%worlds () (ls-emp-emp-eq _ _ _) . 
%total D (ls-emp-emp-eq D _ _) . 

Q, Q. 
O O 

ls-eq-refl : {X} ls-eq X X -> type. 
%mode ls-eq-refl +X -Eq. 

- : ls-eq-refl ls-nil (ls-eq-nx ls-empty-n) . 

- : ls-eq-refl (ls-cons _ X) (ls-eq-cc Eq) <- ls-eq-refl X Eq. 
%worlds () (ls-eq-refl _ _) . 

%total X (ls-eq-refl X _) . 

O. Q. 
O O 

ls-union-emp-eq : ls-union X Y Z -> ls-empty X -> ls-eq Y Z -> type. 
%mode ls-union-emp-eq +U +E -Eq. 

- : ls-union-emp-eq ls-un-nx _ Eq 

<- ls-eq-refl _ Eq. 

- : ls-union-emp-eq ls-un-xn EZ (ls-eq-nx EZ) . 

- : ls-union-emp-eq (ls-un-cc Un Or) (ls-empty-a EX) (ls-eq-cc Eq) 

<- ls-union-emp-eq Un EX Eq. 

%worlds () (ls-union-emp-eq _ _ _) . 
%total D (ls-union-emp-eq D _ _) . 

Q, Q, 
O O 

ls-subeq-union : 
ls-subeq XI X2 -> 
ls-subeq X3 X2 -> 
ls-union XI X3 X4 -> 
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ls-subeq X4 X2 -> 
type. 

%mode ls-subeq-union +X1 +X2 +X3 -X4 . 



- : ls-subeq-union ls-subeq-nx SE _ SE . 

- : ls-subeq-union SE ls-subeq-nx _ SE . 

- : ls-subeq-union 

(ls-subeq-xn El) 
(ls-subeq-xn E3) 
Un 

(ls-subeq-xn E4) 

<- ls-union-emp-emp-emp Un El E3 E4 

- : ls-subeq-union 

(ls-subeq-ax SE12) 
(ls-subeq-ax SE32) 
(ls-un-cc Un _) 
(ls-subeq-ax SE42) 

<- ls-subeq-union SE12 SE32 Un SE42 

- : ls-subeq-union 

(ls-subeq-pp SE12) 
(ls-subeq-ax SE32) 
(ls-un-cc Un _) 
(ls-subeq-pp SE42) 

<- ls-subeq-union SE12 SE32 Un SE42 

- : ls-subeq-union 

(ls-subeq-ax SE12) 
(ls-subeq-pp SE32) 
(ls-un-cc Un _) 
(ls-subeq-pp SE42) 

<- ls-subeq-union SE12 SE32 Un SE42 

- : ls-subeq-union 

(ls-subeq-pp SE12) 
(ls-subeq-pp SE32) 
(ls-un-cc Un _) 
(ls-subeq-pp SE42) 

<- ls-subeq-union SE12 SE32 Un SE42 
%worlds () (ls-subeq-union ____). 
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%total D (ls-subeq-union D _ _ _) 



ls-dis joint-union : 
ls-disjoint X Z -> 
ls-disjoint Y Z -> 
ls-union X Y XY -> 

o. o. 
o o 

ls-disjoint XY Z -> 
type. 

%mode ls-dis joint-union +X1 +X2 +X3 -X4 



ls-dis joint-union ls-dj-nx Dj ls-un-nx Dj. 

ls-dis joint-union Dj ls-dj-nx ls-un-xn Dj. 

ls-dis joint-union _ ls-dj-xn _ ls-dj-xn. 

ls-dis joint-union ls-dj-xn _ _ ls-dj-xn. 



ls-dis joint-union 
(ls-dj-ac DjXZ) (ls-dj-ac DjYZ) (ls-un-cc Un 
<- ls-dis joint-union DjXZ DjYZ Un DjXYZ. 



.) (ls-dj-ac DjXYZ) 



ls-dis joint-union 
(ls-dj-ca DjXZ) (ls-dj-ac DjYZ) (ls-un-cc Un 
<- ls-dis joint-union DjXZ DjYZ Un DjXYZ. 



.) (ls-dj-ca DjXYZ) 



ls-dis joint-union 
(ls-dj-ac DjXZ) (ls-dj-ca DjYZ) (ls-un-cc Un 
<- ls-dis joint-union DjXZ DjYZ Un DjXYZ. 



.) (ls-dj-ca DjXYZ) 



- : ls-dis joint-union 

(ls-dj-ca DjXZ) (ls-dj-ca DjYZ) (ls-un-cc Un _) (ls-dj-ca DjXYZ) 
<- ls-dis joint-union DjXZ DjYZ Un DjXYZ. 

sworlds () ( ls-dis joint-union ____). 
stotal D (ls-dis joint-union D _ _ _) . 



ls-emp-impl-dis j : 

{Y} ls-empty X -> ls-disjoint X Y -> ls-disjoint 
%mode ls-emp-impl-dis j +Y +E -Dl -D2 . 



Y X -> type. 



ls-emp-impl-dis j ls-nil _ ls-dj-xn ls-dj-nx. 
ls-emp-impl-dis j _ ls-empty-n ls-dj-nx ls-dj-xn. 
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- : ls-emp-impl-dis j (ls-cons _ Y) (ls-empty-a E) (ls-dj-ac D) (ls-dj-ca D' ) 
<- ls-emp-impl-dis j Y E D D' . 

%worlds () ( ls-emp-impl-dis j ____). 
%total D (ls-emp-impl-dis j D _ _ _) . 



ls-dis joint-resp-eq : 
ls-disjoint XI X2 -> 
ls-eq XI XI' -> 
ls-eq X2 X2' -> 

o. o 
o o 

ls-disjoint XI' X2' -> 
type. 

%mode ls-dis joint-resp-eq +X1 +X2 +X3 -X4 . 

- : ls-dis joint-resp-eq ls-dj-nx (ls-eq-nx El' ) _ Dj 

<- ls-emp-impl-dis j _ El' Dj _. 

- : ls-dis joint-resp-eq _ (ls-eq-xn _) _ ls-dj-nx. 

- : ls-dis joint-resp-eq ls-dj-xn _ (ls-eq-nx E2') Dj 

<- ls-emp-impl-dis j _ E2' _ Dj. 

- : ls-dis joint-resp-eq _ _ (ls-eq-xn _) ls-dj-xn. 

- : ls-dis joint-resp-eq 

(ls-dj-ac Dj) (ls-eq-cc El) (ls-eq-cc E2) (ls-dj-ac Dj') 
<- ls-dis joint-resp-eq Dj El E2 Dj' . 

- : ls-dis joint-resp-eq 

(ls-dj-ac Dj) (ls-eq-cc El) (ls-eq-cc E2) (ls-dj-ca Dj') 
<- ls-dis joint-resp-eq Dj El E2 Dj' . 

- : ls-dis joint-resp-eq 

(ls-dj-ca Dj) (ls-eq-cc El) (ls-eq-cc E2) (ls-dj-ac Dj') 
<- ls-dis joint-resp-eq Dj El E2 Dj' . 

- : ls-dis joint-resp-eq 

(ls-dj-ca Dj) (ls-eq-cc El) (ls-eq-cc E2) (ls-dj-ca Dj') 
<- ls-dis joint-resp-eq Dj El E2 Dj' . 

%worlds () ( ls-dis joint-resp-eq ____). 
%total D (ls-dis joint-resp-eq D _ _ _) . 



ls-eq-commutes : ls-eq X Y -> ls-eq Y X -> type. 
%mode ls-eq-commutes +X1 -X2 . 
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ls-eq-commutes (ls-eq-nx E) (ls-eq-xn E) . 
ls-eq-commutes (ls-eq-xn E) (ls-eq-nx E) . 
ls-eq-commutes (ls-eq-cc Eq) (ls-eq-cc Eq' ) 
<- ls-eq-commutes Eq Eq' . 

%worlds () (ls-eq-commutes _ _) . 
%total D (ls-eq-commutes D _) . 



ls-eq-emp-impl-emp : ls-eq X Y -> ls-empty Y -> ls-empty X -> type. 
%mode ls-eq-emp-impl-emp +EqXY +EY -EX. 

ls-eq-emp-impl-emp (ls-eq-nx _) _ ls-empty-n . 
ls-eq-emp-impl-emp (ls-eq-xn EX) _ EX. 

ls-eq-emp-impl-emp (ls-eq-cc Eq) (ls-empty-a EY) (ls-empty-a EX) 
<- ls-eq-emp-impl-emp Eq EY EX. 

%worlds () (ls-eq-emp-impl-emp _ _ _) . 
%total D (ls-eq-emp-impl-emp D _ _) . 



ls-eq-trans : ls-eq X Y -> ls-eq Y Z -> ls-eq X Z -> type. 
%mode ls-eq-trans +XY +YZ -XZ . 

- : ls-eq-trans (ls-eq-nx EY) EqYZ (ls-eq-nx EZ) 

<- ls-eq-commutes EqYZ EqZY 

<- ls-eq-emp-impl-emp EqZY EY EZ . 

- : ls-eq-trans EqXY (ls-eq-xn EY) (ls-eq-xn EX) 

<- ls-eq-emp-impl-emp EqXY EY EX. 

- : ls-eq-trans (ls-eq-xn EX) (ls-eq-nx EZ) Eq 

<- ls-emp-emp-eq EX EZ Eq. 

- : ls-eq-trans (ls-eq-xn EX) (ls-eq-xn _) (ls-eq-xn EX) . 

- : ls-eq-trans (ls-eq-cc EqXY) (ls-eq-cc EqYZ) (ls-eq-cc EqXZ) 

<- ls-eq-trans EqXY EqYZ EqXZ. 



%worlds () (ls-eq-trans _ _ _) 
%total D (ls-eq-trans D ) . 



ls-union-f un-1 : 
ls-eq XI XI' -> 
ls-union XI X2 X 
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ls-union XI' X2 X' -> 

o. o 
o o 

ls-eq X X' -> 
type . 

%mode ls-union-fun-1 +E +U1 +U2 -E' . 

- : ls-union-fun-1 (ls-eq-nx EX1') _ Un' Eq 

<- ls-union-emp-eq Un' EX1' Eq. 

- : ls-union-fun-1 (ls-eq-xn EX1) Un _ Eq 

<- ls-union-emp-eq Un EX1 Eqc 
<- ls-eq-commutes Eqc Eq. 

- : ls-union-fun-1 Eq ls-un-xn ls-un-xn Eq. 

- : ls-union-fun-1 

(ls-eq-cc Eq) (ls-un-cc Un _) (ls-un-cc Un' _) (ls-eq-cc Eq' ) 
<- ls-union-fun-1 Eq Un Un' Eq' . 

%worlds () (ls-union-fun-1 ____). 
%total D (ls-union-fun-1 D ) . 

Q, Q, 
O O 

ls-union-f un-r : 
ls-eq X2 X2' -> 
ls-union XI X2 X -> 
ls-union XI X2' X' -> 

g, o 
o o 

ls-eq X X' -> 
type. 

%mode ls-union-fun-r +E +U1 +U2 -E' . 

- : ls-union-fun-r E U U' Eres 

<- ls-union-commutes U Uc 

<- ls-union-commutes U' Uc' 

<- ls-union-fun-1 E Uc Uc' Eres. 

%worlds () (ls-union-fun-r ____). 
%total {} (ls-union-fun-r ____). 

Q, Q. 
O O 



ls-union-fun : 
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ls-eq XI XI' -> 
ls-eq X2 X2' -> 
ls-union XI X2 X -> 
ls-union XI' X2' X' -> 

o. o 
o o 

ls-eq X X' -> 
type. 

%mode ls-union-fun +X1 +X2 +X3 +X4 -X5 . 

- : ls-union-fun El E2 U12 U1'2' Eres 
<- can-ls-union _ _ U1'2 
<- ls-union-fun-1 El U12 U1'2 El 
<- ls-union-fun-r E2 U1'2 U1'2' Er 
<- ls-eq-trans El Er Eres. 

%worlds () (ls-union-fun _____). 
%total {} (ls-union-fun _____). 



ls-sinq-fun : ls-sinq L X -> ls-sing L X' -> ls-eq X X' -> type. 
%mode ls-sing-fun +X1 +X2 -X3 . 

- : ls-sing-fun ls-sing-z ls-sing-z (ls-eq-cc (ls-eq-nx ls-empty- 

- : ls-sing-fun (ls-sing-s Sgl) (ls-sing-s Sg2) (ls-eq-cc Eq) 

<- ls-sing-fun Sgl Sg2 Eq. 



%worlds () (ls-sing-fun _ _ _) 
%total D (ls-sing-fun D ) . 



loc-or-assoc : 

loc-or P2 P3 P23 -> 
loc-or PI P23 P123 -> 
loc-or PI P2 P12 -> 

o. o 
o o 

loc-or P12 P3 P123 -> 
type . 

%mode loc-or-assoc +X1 +X2 +X3 -X4 



loc-or-assoc _ _ _ loc-or-aa. 
loc-or-assoc _ _ _ loc-or-px. 
loc-or-assoc _ _ _ loc-or-xp. 
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% worlds ( ) (loc-or-assoc 
%total {} (loc-or-assoc 



o. o 
o o 

ls-id-c : {P} ls-id X Y -> ls-id (ls-cons P X) (ls-cons P Y) -> type. 
%mode ls-id-c +P +11 -12. 

- : ls-id-c _ ls-id_ ls-id_. 

%worlds () (ls-id-c ) . 

%total { } (ls-id-c ) . 

g, g, 
o o 

ls-su-id : ls-union X Y Z -> ls-union X Y Z' -> ls-id Z Z' -> type. 
%mode ls-su-id +U1 +U2 -I. 

- : ls-su-id _ _ ls-id_. 

- : ls-su-id (ls-un-cc U _) (ls-un-cc U' _) Id 

<- ls-su-id U U' Id' 
<- ls-id-c _ Id' Id. 

%worlds () (ls-su-id _ _ _) . 
%total D (ls-su-id _ D _) . 

Q, Q. 
O O 

ls-id-unil : ls-id X Y -> ls-union Y ls-nil X -> type. 
%mode ls-id-unil +1 -U. 

- : ls-id-unil ls-id_ ls-un-xn. 
%worlds () (ls-id-unil _ _) . 
%total {} (ls-id-unil ). 

Q, Q. 
O O 

ls-union-assoc : 

ls-union X2 X3 X23 -> 
ls-union XI X23 X123 -> 
ls-union XI X2 X12 -> 

g. g. 
o o 

ls-union X12 X3 X123 -> 
type . 

%mode ls-union-assoc +X1 +X2 +X3 -X4 . 

- : ls-union-assoc ls-un-nx ls-un-nx Un Un . 

- : ls-union-assoc ls-un-nx ls-un-xn Un Un . 
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ls-union-assoc ls-un-nx Un ls-un-xn Un . 
ls-union-assoc Un ls-un-nx ls-un-nx Un . 
ls-union-assoc ls-un-xn U1'23 U12 U12'3 

<- ls-su-id U1'23 U12 Id 

<- ls-id-unil Id U12'3. 



- : ls-union-assoc 

(ls-un-cc U23 Or23) (ls-un-cc U1'23 Orl'23) (ls-un-cc U12 0rl2) 
(ls-un-cc U12'3 Orl2'3) 

<- ls-union-assoc U23 U1'23 U12 U12'3 
<- loc-or-assoc Or23 Orl'23 0rl2 Orl2'3. 

%worlds () (ls-union-assoc ____). 
%total D (ls-union-assoc D _ _ _) . 



% store-lemmas . thm 



-2-9-9-2-2- 
"o o o o o o 



st-update-imp-lookup : 
st-update _ L V S -> 

o. o 
o o 

st-lookup S L V -> 
type . 

%mode st-update-imp-lookup +X1 -X2 . 



st-update-imp-lookup st-up-nz st-lo-z. 
st-update-imp-lookup st-up-cz st-lo-z. 
st-update-imp-lookup (st-up-ns Dup) (st-lo-s Dlo) 

<- st-update-imp-lookup Dup Dlo. 
st-update-imp-lookup (st-up-cs Dup) (st-lo-s Dlo) 

<- st-update-imp-lookup Dup Dlo. 



%worlds () (st-update-imp-lookup _ _) . 
%total D (st-update-imp-lookup D _) . 



contradiction-implies-val-eq : {V} {V } false -> val-eq V V -> type. 
%mode contradiction-implies-val-eq +V1 +V2 +X1 -X2 . 
%worlds () (contradiction-implies-val-eq ____). 
%total {} (contradiction-implies-val-eq ____). 



st-lookup-f un : 

st-lookup S L V -> 
st-lookup S L V -> 
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val-eq V V -> 
type. 

%mode st-lookup-fun +X1 +X2 -X3 . 

- : st-lookup-fun st-lo-z st-lo-z val-eq_. 

- : st-lookup-fun (st-lo-s Dup) (st-lo-s Dup' ) Deq 

<- st-lookup-fun Dup Dup' Deq. 

%worlds (var-block) (st-lookup-fun _ _ _) . 
%total {Dl D2} (st-lookup-fun Dl D2 _) . 

o. o. 
o o 

st-eq-preserves-emp : st-empty SI -> st-eq SI S2 -> st-empty S2 -> type. 
%mode st-eq-preserves-emp +X1 +X2 -X3 . 

- : st-eq-preserves-emp _ (st-eq-nx Emp) Emp . 

- : st-eq-preserves-emp _ (st-eq-xn _) st-empty-n . 

- : st-eq-preserves-emp (st-empty-e Empl) (st-eq-cc Eq _) (st-empty-e Emp2) 

<- st-eq-preserves-emp Empl Eq Emp2 . 

%worlds () (st-eq-preserves-emp _ _ _) . 
%total D (st-eq-preserves-emp _ D _) . 

O. Q. 
O O 

st-emp-eq-emp : st-empty SI -> st-empty S2 -> st-eq SI S2 -> type. 
%mode st-emp-eq-emp +E1 +E2 -E3. 

- : st-emp-eq-emp st-empty-n Emp2 (st-eq-nx Emp2) . 

- : st-emp-eq-emp Empl st-empty-n (st-eq-xn Empl) . 

- : st-emp-eq-emp (st-empty-e Empl) (st-empty-e Emp2) (st-eq-cc Emp sv-eq_) 

<- st-emp-eq-emp Empl Emp2 Emp. 

%worlds () (st-emp-eq-emp _ _ _) . 
%total D (st-emp-eq-emp D _ _) . 

Q, Q. 
O O 

st-eq-refl : {S} st-eq S S -> type. 
%mode st-eq-refl +X1 -X2 . 

- : st-eq-refl st-nil (st-eq-nx st-empty-n) . 

- : st-eq-refl (st-cons V S) (st-eq-cc Eq sv-eq_) 
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<- st-eq-refl S Eq. 



%worlds () (st-eq-refl _ _) . 
%total S (st-eq-refl S _) . 

Q, Q. 
O O 

st-eq-comm : st-eq SI S2 -> st-eq S2 SI -> type. 
%mode st-eq-comm +X1 -X2 . 

- : st-eq-comm (st-eq-nx E) (st-eq-xn E) . 

- : st-eq-comm (st-eq-xn E) (st-eq-nx E) . 

- : st-eq-comm (st-eq-cc Eql2 _) (st-eq-cc Eq21 sv-eq_) 

<- st-eq-comm Eql2 Eq21. 

%worlds () (st-eq-comm _ _) . 
%total D (st-eq-comm D _) . 

g, o, 
o o 

st-eq-trans : st-eq SI S2 -> st-eq S2 S3 -> st-eq SI S3 -> type. 
%mode st-eq-trans +X1 +X2 -X3 . 

- : st-eq-trans (st-eq-nx El) Eq2 (st-eq-nx E) 

<- st-eq-preserves-emp El Eq2 E. 

- : st-eq-trans (st-eq-xn El) (st-eq-nx E3) Eq 

<- st-emp-eq-emp El E3 Eq. 

- : st-eq-trans Eql2 (st-eq-xn E2) (st-eq-xn El) 

<- st-eq-comm Eql2 Eq21 

<- st-eq-preserves-emp E2 Eq21 El. 

- : st-eq-trans (st-eq-cc Eql _) (st-eq-cc Eq2 _) (st-eq-cc Eq sv-eq_) 

<- st-eq-trans Eql Eq2 Eq. 

%worlds () (st-eq-trans _ _ _) . 
%total D (st-eq-trans D ) . 

o, o 
o o 

st-sqsubeq-ex-ref 1 : 
{S} {X} 

O. Q. 
O O 

st-sqsubeq-ex S X S -> 
type . 

%mode st-sqsubeq-ex-ref 1 +X1 +X2 -X3 . 
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- : st-sqsubeq-ex-ref 1 st-nil _ st-ssee-nxx. 

- : st-sqsubeq-ex-ref 1 

(st-cons sv-free S) ls-nil 
(st-ssee-fnc Dssee) 

<- st-sqsubeq-ex-ref 1 S ls-nil Dssee. 

- : st-sqsubeq-ex-ref 1 

(st-cons sv-free S) ls-nil 
(st-ssee-fnc Dssee) 

<- st-sqsubeq-ex-ref 1 S ls-nil Dssee. 

- : st-sqsubeq-ex-ref 1 

(st-cons (sv-val _) S) ls-nil 

(st-ssee-vnv Dssee val-eq_) 

<- st-sqsubeq-ex-ref 1 S ls-nil Dssee. 

- : st-sqsubeq-ex-ref 1 

(st-cons sv-free S) (ls-cons _ X) 

(st-ssee-fcc Dssee) 

<- st-sqsubeq-ex-ref 1 S X Dssee. 

- : st-sqsubeq-ex-ref 1 

(st-cons (sv-val _) S) (ls-cons loc-absent X) 

(st-ssee-vav Dssee val-eq_) 

<- st-sqsubeq-ex-ref 1 S X Dssee. 

- : st-sqsubeq-ex-ref 1 

(st-cons _ S) (ls-cons loc-present X) 

(st-ssee-cpc Dssee) 

<- st-sqsubeq-ex-ref 1 S X Dssee. 

%worlds () ( st-sqsubeq-ex-ref 1 _ _ _) . 
%total D ( st-sqsubeq-ex-ref 1 D _ _) . 

o. o. 
o o 

st-sqsubeq-ex-nil-impl-any : 
{S' } 

st-sqsubeq-ex S X st-nil -> 

o. o 

O O 

st-sqsubeq-ex S X S' -> type. 
%mode st-sqsubeq-ex-nil-impl-any +S +X1 -X2 . 

- : st-sqsubeq-ex-nil-impl-any _ st-ssee-nxx st-ssee-nxx. 

- : st-sqsubeq-ex-nil-impl-any 

st-nil (st-ssee-fnn Dssee) (st-ssee-fnn Dssee' ) 
<- st-sqsubeq-ex-nil-impl-any st-nil Dssee Dssee' . 

- : st-sqsubeq-ex-nil-impl-any 

(st-cons _ S' ) (st-ssee-fnn Dssee) (st-ssee-fnc Dssee') 
<- st-sqsubeq-ex-nil-impl-any S' Dssee Dssee' . 
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- : st-sqsubeq-ex-nil-impl-any 

st-nil (st-ssee-fcn Dssee) (st-ssee-fcn Dssee' ) 
<- st-sqsubeq-ex-nil-impl-any st-nil Dssee Dssee' . 

- : st-sqsubeq-ex-nil-impl-any 

(st-cons _ S' ) (st-ssee-fcn Dssee) (st-ssee-fcc Dssee') 
<- st-sqsubeq-ex-nil-impl-any S' Dssee Dssee' . 

- : st-sqsubeq-ex-nil-impl-any 

st-nil (st-ssee-cpn Dssee) (st-ssee-cpn Dssee' ) 
<- st-sqsubeq-ex-nil-impl-any st-nil Dssee Dssee' . 

- : st-sqsubeq-ex-nil-impl-any 

(st-cons _ S' ) (st-ssee-cpn Dssee) (st-ssee-cpc Dssee') 
<- st-sqsubeq-ex-nil-impl-any S' Dssee Dssee' . 

%worlds () (st-sqsubeq-ex-nil-impl-any _ _ _) . 
%total D (st-sqsubeq-ex-nil-impl-any _ D _) . 

Q, Q. 
O O 

st-sqsubeq-ex-trans : 

st-sqsubeq-ex SI X S2 -> 
st-sqsubeq-ex S2 X S3 -> 

o. o. 
o o 

st-sqsubeq-ex SI X S3 -> 
type . 

%mode st-sqsubeq-ex-trans +X1 +X2 -X3 . 

- : st-sqsubeq-ex-trans st-ssee-nxx _ st-ssee-nxx. 

- : st-sqsubeq-ex-trans 

(Dsseel2 : st-sqsubeq-ex _ _ st-nil) 
(_ : st-sqsubeq-ex st-nil _ S3) 
Dsseel3 

<- st-sqsubeq-ex-nil-impl-any S3 Dsseel2 Dsseel3. 

- : st-sqsubeq-ex-trans 

(st-ssee-fnc Dsseel2) (st-ssee-fnn Dssee23) (st-ssee-fnn Dsseel3) 
<- st-sqsubeq-ex-trans Dsseel2 Dssee23 Dsseel3. 

- : st-sqsubeq-ex-trans 

(st-ssee-fcc Dsseel2) (st-ssee-fcn Dssee23) (st-ssee-fcn Dsseel3) 
<- st-sqsubeq-ex-trans Dsseel2 Dssee23 Dsseel3. 

- : st-sqsubeq-ex-trans 

(st-ssee-fnc Dsseel2) (st-ssee-fnc Dssee23) (st-ssee-fnc Dsseel3) 
<- st-sqsubeq-ex-trans Dsseel2 Dssee23 Dsseel3. 

- : st-sqsubeq-ex-trans 

(st-ssee-fcc Dsseel2) (st-ssee-fcc Dssee23) (st-ssee-fcc Dsseel3) 
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<- st-sqsubeq-ex-trans Dsseel2 Dssee23 Dsseel3. 



- : st-sqsubeq-ex-trans 

(st-ssee-fnc Dsseel2) (st-ssee-vnv Dssee23 _) (st-ssee-fnc Dsseel3) 
<- st-sqsubeq-ex-trans Dsseel2 Dssee23 Dsseel3. 

- : st-sqsubeq-ex-trans 

(st-ssee-fcc Dsseel2) (st-ssee-vav Dssee23 _) (st-ssee-fcc Dsseel3) 
<- st-sqsubeq-ex-trans Dsseel2 Dssee23 Dsseel3. 

- : st-sqsubeq-ex-trans 

(st-ssee-fcc Dsseel2) (st-ssee-cpn Dssee23) (st-ssee-fcn Dsseel3) 
<- st-sqsubeq-ex-trans Dsseel2 Dssee23 Dsseel3. 

- : st-sqsubeq-ex-trans 

(st-ssee-fcc Dsseel2) (st-ssee-cpc Dssee23) (st-ssee-fcc Dsseel3) 
<- st-sqsubeq-ex-trans Dsseel2 Dssee23 Dsseel3. 

- : st-sqsubeq-ex-trans 

(st-ssee-vnv Dsseel2 _) (st-ssee-vnv Dssee23 _) 
(st-ssee-vnv Dsseel3 val-eq_) 

<- st-sqsubeq-ex-trans Dsseel2 Dssee23 Dsseel3. 

- : st-sqsubeq-ex-trans 

(st-ssee-vav Dsseel2 _) (st-ssee-vav Dssee23 _) 
(st-ssee-vav Dsseel3 val-eq_) 

<- st-sqsubeq-ex-trans Dsseel2 Dssee23 Dsseel3. 

- : st-sqsubeq-ex-trans 

(st-ssee-cpc Dsseel2) (st-ssee-fcn Dssee23) (st-ssee-cpn Dsseel3) 
<- st-sqsubeq-ex-trans Dsseel2 Dssee23 Dsseel3. 

- : st-sqsubeq-ex-trans 

(st-ssee-cpc Dsseel2) (st-ssee-fcc Dssee23) (st-ssee-cpc Dsseel3) 
<- st-sqsubeq-ex-trans Dsseel2 Dssee23 Dsseel3. 

- : st-sqsubeq-ex-trans 

(st-ssee-cpc Dsseel2) (st-ssee-cpn Dssee23) (st-ssee-cpn Dsseel3) 
<- st-sqsubeq-ex-trans Dsseel2 Dssee23 Dsseel3. 

- : st-sqsubeq-ex-trans 

(st-ssee-cpc Dsseel2) (st-ssee-cpc Dssee23) (st-ssee-cpc Dsseel3) 
<- st-sqsubeq-ex-trans Dsseel2 Dssee23 Dsseel3. 

sworlds () (st-sqsubeq-ex-trans _ _ _) . 
stotal D (st-sqsubeq-ex-trans D _ _) . 
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st-sqsubeq-ex-resp-subeq : 
st-sqsubeq-ex SI X S2 -> 
ls-subeq X X' -> 

O. Q. 
O O 

st-sqsubeq-ex SI X' S2 -> 
type. 

%mode st-sqsubeq-ex-resp-subeq +X1 +X2 -X3 . 



- : st-sqsubeq-ex-resp-subeq st-ssee-nxx _ st-ssee-nxx. 

- : st-sqsubeq-ex-resp-subeq (st-ssee-fnn D) ls-subeq-nx (st-ssee-fnn D' ) 

<- st-sqsubeq-ex-resp-subeq D ls-subeq-nx D' . 

- : st-sqsubeq-ex-resp-subeq (st-ssee-fnn D) ls-subeq-nx (st-ssee-fcn D' ) 

<- st-sqsubeq-ex-resp-subeq D ls-subeq-nx D' . 

- : st-sqsubeq-ex-resp-subeq 

(st-ssee-fnn D) (ls-subeq-xn ls-empty-n) (st-ssee-fnn D' ) 
<- st-sqsubeq-ex-resp-subeq D (ls-subeq-xn ls-empty-n) D' . 

- : st-sqsubeq-ex-resp-subeq 

(st-ssee-fcn D) (ls-subeq-xn (ls-empty-a Emp) ) (st-ssee-fnn D' ) 
<- st-sqsubeq-ex-resp-subeq D (ls-subeq-xn Emp) D' . 

- : st-sqsubeq-ex-resp-subeq 

(st-ssee-fcn D) (ls-subeq-ax Dsub) (st-ssee-fcn D' ) 
<- st-sqsubeq-ex-resp-subeq D Dsub D' . 

- : st-sqsubeq-ex-resp-subeq 

(st-ssee-fcn D) (ls-subeq-pp Dsub) (st-ssee-fcn D' ) 
<- st-sqsubeq-ex-resp-subeq D Dsub D' . 

- : st-sqsubeq-ex-resp-subeq (st-ssee-fnc D) ls-subeq-nx (st-ssee-fnc D' ) 

<- st-sqsubeq-ex-resp-subeq D ls-subeq-nx D' . 

- : st-sqsubeq-ex-resp-subeq (st-ssee-fnc D) ls-subeq-nx (st-ssee-fcc D' ) 

<- st-sqsubeq-ex-resp-subeq D ls-subeq-nx D' . 

- : st-sqsubeq-ex-resp-subeq 

(st-ssee-fnc D) (ls-subeq-xn ls-empty-n) (st-ssee-fnc D' ) 
<- st-sqsubeq-ex-resp-subeq D (ls-subeq-xn ls-empty-n) D' . 

- : st-sqsubeq-ex-resp-subeq 

(st-ssee-fcc D) (ls-subeq-xn (ls-empty-a Emp) ) (st-ssee-fnc D' ) 
<- st-sqsubeq-ex-resp-subeq D (ls-subeq-xn Emp) D' . 

- : st-sqsubeq-ex-resp-subeq 

(st-ssee-fcc D) (ls-subeq-ax Dsub) (st-ssee-fcc D' ) 
<- st-sqsubeq-ex-resp-subeq D Dsub D' . 

- : st-sqsubeq-ex-resp-subeq 

(st-ssee-fcc D) (ls-subeq-pp Dsub) (st-ssee-fcc D' ) 



70 



<- st-sqsubeq-ex-resp-subeq D Dsub D' . 



- : st-sqsubeq-ex-resp-subeq 

(st-ssee-vnv D _) (ls-subeq-xn _) (st-ssee-vnv D' val-eq_) 
<- st-sqsubeq-ex-resp-subeq D ls-subeq-nx D' . 

- : st-sqsubeq-ex-resp-subeq 

(st-ssee-vav D _) (ls-subeq-xn _) (st-ssee-vnv D' val-eq_) 
<- st-sqsubeq-ex-resp-subeq D ls-subeq-nx D' . 

- : st-sqsubeq-ex-resp-subeq 

(st-ssee-vnv D _) ls-subeq-nx (st-ssee-vnv D' val-eq_) 
<- st-sqsubeq-ex-resp-subeq D ls-subeq-nx D' . 

- : st-sqsubeq-ex-resp-subeq 

(st-ssee-vnv D _) ls-subeq-nx (st-ssee-vav D' val-eq_) 
<- st-sqsubeq-ex-resp-subeq D ls-subeq-nx D' . 

- : st-sqsubeq-ex-resp-subeq (st-ssee-vnv D _) ls-subeq-nx (st-ssee-cpc D' ) 

<- st-sqsubeq-ex-resp-subeq D ls-subeq-nx D' . 

- : st-sqsubeq-ex-resp-subeq 

(st-ssee-vav D _) (ls-subeq-xn (ls-empty-a Emp) ) (st-ssee-vnv D' val-eq_) 
<- st-sqsubeq-ex-resp-subeq D (ls-subeq-xn Emp) D' . 

- : st-sqsubeq-ex-resp-subeq 

(st-ssee-vav D _) (ls-subeq-ax Dsub) (st-ssee-vav D' val-eq_) 
<- st-sqsubeq-ex-resp-subeq D Dsub D' . 

- : st-sqsubeq-ex-resp-subeq 

(st-ssee-vav D _) (ls-subeq-ax Dsub) (st-ssee-cpc D' ) 
<- st-sqsubeq-ex-resp-subeq D Dsub D' . 

- : st-sqsubeq-ex-resp-subeq 

(st-ssee-cpn D) (ls-subeq-pp Dsub) (st-ssee-cpn D' ) 
<- st-sqsubeq-ex-resp-subeq D Dsub D' . 

- : st-sqsubeq-ex-resp-subeq 

(st-ssee-cpc D) (ls-subeq-pp Dsub) (st-ssee-cpc D' ) 
<- st-sqsubeq-ex-resp-subeq D Dsub D' . 

%worlds () (st-sqsubeq-ex-resp-subeq _ _ _) . 
%total D (st-sqsubeq-ex-resp-subeq D _ _) . 



st-update-imp-st-sqsubeq-ex : 
st-update S L V S' -> 
ls-sinq L X -> 

o. o 



st-sqsubeq-ex S X S' -> 
type . 

%mode st-update-imp-st-sqsubeq-ex +X1 +X2 -X3 . 
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- : st-update-imp-st-sqsubeq-ex st-up-nz ls-sing-z st-ssee-nxx. 

- : st-update-imp-st-sqsubeq-ex (st-up-ns _) _ st-ssee-nxx. 

- : st-update-imp-st-sqsubeq-ex 

(st-up-cz : st-update (st-cons sv-free S) _ _ _) 

ls-sing-z 

(st-ssee-fcc D) 

<- st-sqsubeq-ex-ref 1 S ls-nil D. 

- : st-update-imp-st-sqsubeq-ex 

(st-up-cz : st-update (st-cons (sv-val _) S) _ _ _) 

ls-sing-z 

(st-ssee-cpc D) 

<- st-sqsubeq-ex-ref 1 S ls-nil D. 

- : st-update-imp-st-sqsubeq-ex 

(st-up-cs Dup : st-update (st-cons sv-free S) _ _ _) 
(ls-sing-s Dls) 
(st-ssee-fcc D) 

<- st-update-imp-st-sqsubeq-ex Dup Dls D. 

- : st-update-imp-st-sqsubeq-ex 

(st-up-cs Dup : st-update (st-cons (sv-val _) S) _ _ _) 
(ls-sing-s Dls) 
(st-ssee-vav D val-eq_) 

<- st-update-imp-st-sqsubeq-ex Dup Dls D. 

%worlds () (st-update-imp-st-sqsubeq-ex _ _ _) . 
%total D (st-update-imp-st-sqsubeq-ex D _ _) . 

Q, Q. 
O O 

st-lo-ssee-nil-contradiction : 
st-lookup S L _ -> 
ls-sing L X -> 
ls-disjoint X G -> 
st-sqsubeq-ex S G st-nil -> 
false -> 
type . 

%mode st-lo-ssee-nil-contradiction +X1 +X2 +X3 +X4 -X3 . 

- : st-lo-ssee-nil-contradiction 

(st-lo-s L) 
(ls-sing-s Sg) 
ls-d j-xn 

(st-ssee-fnn Dssee) 
False 

<- st-lo-ssee-nil-contradiction L Sg ls-dj-xn Dssee False. 
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- : st-lo-ssee-nil-contradiction 

(st-lo-s L) 
(ls-sing-s Sg) 
(ls-dj-ac Dj) 
(st-ssee-fcn Dssee) 
False 

<- st-lo-ssee-nil-contradiction L Sg Dj Dssee False. 

- : st-lo-ssee-nil-contradiction 

(st-lo-s L) 
(ls-sing-s Sg) 
(ls-dj-ac Dj) 
(st-ssee-cpn Dssee) 
False 

<- st-lo-ssee-nil-contradiction L Sg Dj Dssee False. 

- : st-lo-ssee-nil-contradiction 

(st-lo-s L) 
(ls-sing-s Sg) 
(ls-dj-ca Dj) 
(st-ssee-fcn Dssee) 
False 

<- st-lo-ssee-nil-contradiction L Sg Dj Dssee False. 

%worlds (var-block) (st-lo-ssee-nil-contradiction _____). 
%total D (st-lo-ssee-nil-contradiction D _ _ _ _) . 

Q, Q. 
O O 

st-f alse-implies-nil-lookup : 

{L}{V} false -> st-lookup st-nil L V -> type. 
%mode st-f alse-implies-nil-lookup +L +V +F -Dlu. 
%worlds (var-block) ( st-f alse-implies-nil-lookup ____). 
%total {} ( st-f alse-implies-nil-lookup ____). 

o o 
o o 

%{ 

This lemma is the motivation for our representation of stores and 
location sets; it is a straightforward induction in this 
representation, but would seem to require a lot of sub-lemmas in 
some more "obvious" representations (e.g. association lists for 
stores and lists for location sets) . 
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st-lookup-resp-sqsubeq-ex-notin : 
st-lookup S L V -> 
st-sqsubeq-ex S G S' -> 
ls-sinq L X -> 
ls-disjoint X G -> 

o. o. 
o o 

st-lookup S' L V -> 
type . 

%mode st-lookup-resp-sqsubeq-ex-notin +X1 +X2 +X3 +X4 -X5 . 

- : st-lookup-resp-sqsubeq-ex-notin Dlo Dssee Sq Dj Dlo' 

<- st-lo-ssee-nil-contradiction Dlo Sq Dj Dssee False 
<- st-f alse-implies-nil-lookup _ _ False Dlo' . 

- : st-lookup-resp-sqsubeq-ex-notin 

st-lo-z 

(st-ssee-vnv _ _) 
ls-sinq-z 
ls-d j-xn 
st-lo-z . 

- : st-lookup-resp-sqsubeq-ex-notin 

st-lo-z 

(st-ssee-vav _ _) 
ls-sinq-z 

(ls-dj-ca _) 
st-lo-z . 

- : st-lookup-resp-sqsubeq-ex-notin 

(st-lo-s L) 
(st-ssee-fnc Dssee) 
(ls-sing-s Sg) 
ls-d j-xn 
(st-lo-s L' ) 

<- st-lookup-resp-sqsubeq-ex-notin L Dssee Sq ls-dj-xn 

- : st-lookup-resp-sqsubeq-ex-notin 

(st-lo-s L) 
(st-ssee-fcc Dssee) 
(ls-sing-s Sg) 
(ls-dj-ac Dj) 
(st-lo-s L' ) 

<- st-lookup-resp-sqsubeq-ex-notin L Dssee Sq Dj L' . 
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- : st-lookup-resp-sqsubeq-ex-notin 

(st-lo-s L) 
(st-ssee-fcc Dssee) 
(ls-sing-s Sg) 
(ls-dj-ca Dj) 
(st-lo-s L' ) 

<- st-lookup-resp-sqsubeq-ex-notin L Dssee Sg Dj L' . 

- : st-lookup-resp-sqsubeq-ex-notin 

(st-lo-s L) 
(st-ssee-vnv Dssee _) 
(ls-sing-s Sg) 
ls-d j-xn 
(st-lo-s L' ) 

<- st-lookup-resp-sqsubeq-ex-notin L Dssee Sg ls-dj-xn L' . 

- : st-lookup-resp-sqsubeq-ex-notin 

(st-lo-s L) 
(st-ssee-vav Dssee _) 
(ls-sing-s Sg) 
(ls-dj-ac Dj) 
(st-lo-s L' ) 

<- st-lookup-resp-sqsubeq-ex-notin L Dssee Sg Dj L' . 

- : st-lookup-resp-sqsubeq-ex-notin 

(st-lo-s L) 
(st-ssee-vav Dssee _) 
(ls-sing-s Sg) 
(ls-dj-ca Dj) 
(st-lo-s L' ) 

<- st-lookup-resp-sqsubeq-ex-notin L Dssee Sg Dj L' . 

- : st-lookup-resp-sqsubeq-ex-notin 

(st-lo-s L) 
(st-ssee-cpc Dssee) 
(ls-sing-s Sg) 
(ls-dj-ac Dj) 
(st-lo-s L' ) 

<- st-lookup-resp-sqsubeq-ex-notin L Dssee Sg Dj L' . 

%worlds (var-block) ( st-lookup-resp-sqsubeq-ex-notin _____). 
%total D ( st-lookup-resp-sqsubeq-ex-notin D _ _ _ _) . 

O. Q. 
O O 
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st-lookup-nodep : 

({v : val} st-lookup S L (V v) ) -> 

o. o. 


st-lookup S L V -> 
({v : val} val-eq (V v) V) -> 
type. 

%mode st-lookup-nodep +X1 -X2 -X3 . 



- : st-lookup-nodep 
( [v] st-lo-z) 

O. Q. 
O O 

st-lo-z 

( [v] val-eq_) 



- : st-lookup-nodep 

( [v] st-lo-s (Dstl v) ) 

o. o 
o o 

(st-lo-s Dstl' ) 
Deq 

<- st-lookup-nodep Dstl Dstl' Deq. 

%worlds (var-block) (st-lookup-nodep _ _ _) . 
%total D (st-lookup-nodep D _ _) . 

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo 

%% trace-lemmas . thm 

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo 

trs-gen-fun : 

trs-gen Ts X -> 
trs-gen Ts X' -> 

o. o. 
o o 

ls-eq X X' -> 
type . 

%mode trs-gen-fun +X1 +X2 -X3 . 

trc-gen-fun : 

trc-gen Tc X -> 
trc-gen Tc X' -> 

O. Q. 
O O 

ls-eq X X' -> 
type . 

%mode trc-gen-fun +X1 +X2 -X3 . 
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%{ 

cases for trs-gen-fun 

}% 

- : trs-gen-fun trs-gen-nil _ (ls-eq-nx ls-empty-n) . 

- : trs-gen-fun 

(trs-gen-mod Dlu Dls Dcg) (trs-gen-mod Dlu' Dls' Dcg' ) Deq 

<- trc-gen-fun Dcg Dcg' Deql 

<- ls-sing-fun Dls Dls' Deq2 

<- ls-union-fun Deql Deq2 Dlu Dlu' Deq. 

- : trs-gen-fun 

(trs-gen-let Dun Dsgl Dsg2) (trs-gen-let Dun' Dsgl' Dsg2') Egres 

<- trs-gen-fun Dsgl Dsgl' Eql 

<- trs-gen-fun Dsg2 Dsg2' Eg2 

<- ls-union-fun Eq2 Eql Dun Dun' Eqres . 

%{ 

cases for trc-gen-fun 

}% 

- : trc-gen-fun trc-gen-wr _ (ls-eq-nx ls-empty-n) . 

- : trc-gen-fun 

(trc-gen-let Dun Dcg Dsg) (trc-gen-let Dun' Dcg' Dsg' ) Eqres 

<- trc-gen-fun Dcg Dcg' Eqc 

<- trs-gen-fun Dsg Dsg' Eqs 

<- ls-union-fun Eqs Eqc Dun Dun' Eqres. 

- : trc-gen-fun 

(trc-gen-rd Dcg) (trc-gen-rd Dcg' ) Eqres 
<- trc-gen-fun Dcg Dcg' Eqres . 

%worlds () 

(trs-gen-fun _ _ _) 

(trc-gen-fun _ _ _) . 
%total (Dc Ds) 

(trc-gen-fun Dc _ _) 

(trs-gen-fun Ds _ _) . 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
%% eval-lemmas . thm 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
evals-imp-st-sqsubeq-ex-trs-gen : 

evals S S' Ts -> 

trs-gen Ts G -> 

o. o. 
o o 

st-sqsubeq-ex S G S ' -> 
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type . 

%mode evals-imp-st-sqsubeq-ex-trs-gen +X1 +X2 -X3 . 

evalc-imp-st-sqsubeq-ex-trc-gen : 
evalc S L _ S' Ts -> 
trc-gen Ts G -> 
ls-sing L X -> 
ls-union G X G+X -> 

o. o. 
o o 

st-sqsubeq-ex S G+X S' -> 
type. 

%mode evalc-imp-st-sqsubeq-ex-trc-gen +X1 +X2 +X3 +X4 

cps-imp-st-sqsubeq-ex-trs-gen : 
cps S _ S' Ts' -> 
trs-gen Ts' G -> 

o. o 

O O 

st-sqsubeq-ex S G S' -> 
type. 

%mode cps-imp-st-sqsubeq-ex-trs-gen +X1 +X2 -X3 . 

cpc-imp-st-sqsubeq-ex-trc-gen : 
cpc S L _ S' Ts' -> 
trc-gen Ts' G -> 
ls-sing L X -> 
ls-union G X G+X -> 

o. o. 
o o 

st-sqsubeq-ex S G+X S' -> 
type . 

%mode cpc-imp-st-sqsubeq-ex-trc-gen +X1 +X2 +X3 +X4 - 



: evals-imp-st-sqsubeq-ex-trs-gen 
evals-val 
trs-gen-nil 

Dssee' 

<- st-sqsubeq-ex-ref 1 _ _ Dssee' 



evals-imp-st-sqsubeq-ex-trs-gen 
(evals-plus Dsum) 
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trs-gen-nil 
Dssee' 

<- st-sqsubeq-ex-ref 1 _ _ Dssee' 



evals-imp-st-sqsubeq-ex-trs-gen 
(evals-mod _ _ _ Devalc) 
(trs-gen-mod Dlu Dls Dtg) 

Dssee' 

<- evalc-imp-st-sqsubeq-ex-trc-gen Devalc Dtg Dls Dlu Dssee' 



evals-imp-st-sqsubeq-ex-trs-gen 
(evals-memo-miss Devals) 
Dtg 

Dssee' 

<- evals-imp-st-sqsubeq-ex-trs-gen Devals Dtg Dssee' 



evals-imp-st-sqsubeq-ex-trs-gen 
(evals-memo-hit Dcps _ _) 
Dtg 

Dssee' 

<- cps-imp-st-sqsubeq-ex-trs-gen Dcps Dtg Dssee' 



evals-imp-st-sqsubeq-ex-trs-gen 
(evals-app Devals) 
Dtg 

Dssee' 

<- evals-imp-st-sqsubeq-ex-trs-gen Devals Dtg Dssee' 



evals-imp-st-sqsubeq-ex-trs-gen 
(evals-let _ _ _ Devals2 Devalsl) 

(trs-gen-let (Dlu : ls-union Gl G2 G1+G2) Dtg2 Dtgl) 
Dssee' 

<- evals-imp-st-sqsubeq-ex-trs-gen Devalsl Dtgl Dsseel 
<- evals-imp-st-sqsubeq-ex-trs-gen Devals2 Dtg2 Dssee2 
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<- ls-union-imp-subeq Dlu (Dlsel : ls-subeq Gl G1+G2) (Dlse2 : ls-subeq G2 Gl- 

<- st-sqsubeq-ex-resp-subeq Dsseel Dlsel Dsseel' 

<- st-sqsubeq-ex-resp-subeq Dssee2 Dlse2 Dssee2' 

<- st-sqsubeq-ex-trans Dsseel' Dssee2' Dssee' 



- : evals-imp-st-sqsubeq-ex-trs-gen 
(evals-letp Devals) 
Dtg 



Dssee' 

<- evals-imp-st-sqsubeq-ex-trs-gen Devals Dtg Dssee' 



: evals-imp-st-sqsubeq-ex-trs-gen 
(evals-case-inl Devals) 
Dtg 

Dssee 



ussee' 

<- evals-imp-st-sqsubeq-ex-trs-gen Devals Dtg Dssee' 



: evals-imp-st-sqsubeq-ex-trs-gen 
(evals-case-inr Devals) 
Dtg 

Dssee 



<- evals-imp-st-sqsubeq-ex-trs-gen Devals Dtg Dssee' 



evalc-imp-st-sqsubeq-ex-trc-gen 
(evalc-write Dstu) 
trc-gen-wr 
Dls 



Dssee' 

<- st-update-imp-st-sqsubeq-ex Dstu Dls Dssee' 



evalc-imp-st-sqsubeq-ex-trc-gen 
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(evalc-read Devalc _) 

(trc-gen-rd Dtg) 
Dls 
Dlu 

Dssee' 

<- evalc-imp-st-sqsubeq-ex-trc-gen Devalc Dtg Dls Dlu Dssee 

evalc-imp-st-sqsubeq-ex-trc-gen 
(evalc-memo-miss Devalc) 
Dtg 
Dls 
Dlu 

Dssee' 

<- evalc-imp-st-sqsubeq-ex-trc-gen Devalc Dtg Dls Dlu Dssee 

evalc-imp-st-sqsubeq-ex-trc-gen 
(evalc-memo-hit Dcpc _ _) 
Dtg 
Dls 
Dlu 

Dssee' 

<- cpc-imp-st-sqsubeq-ex-trc-gen Dcpc Dtg Dls Dlu Dssee' 

evalc-imp-st-sqsubeq-ex-trc-gen 
(evalc-app Devalc) 
Dtg 
Dls 
Dlu 

Dssee' 

<- evalc-imp-st-sqsubeq-ex-trc-gen Devalc Dtg Dls Dlu Dssee 

evalc-imp-st-sqsubeq-ex-t rc-gen 
(evalc-let _ _ _ Devalc2 Devalsl) 

(trc-gen-let (Dlu : ls-union Gl G2 G1+G2) Dtg2 Dtgl) 
Dls 

(Dlu2 : ls-union G1+G2 X G1+G2+X) 
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Dssee' 

<- evals-imp-st-sqsubeq-ex-trs-gen Devalsl Dtgl Dsseel 
<- can-ls-union _ _ (Dlu3 : ls-union G2 X G2+X) 

<- evalc-imp-st-sqsubeq-ex-trc-gen Devalc2 Dtg2 Dls Dlu3 Dssee2 

<- ls-union-imp-subeq Dlu2 (Dlse5 : ls-subeq G1+G2 G1+G2+X) (Dlse6 : ls-subeq 

<- ls-union-imp-subeq Dlu (Dlse7 : ls-subeq Gl G1+G2) (Dlse8 : ls-subeq G2 Gl- 

<- ls-subeq-trans Dlse7 Dlse5 (Dlse3 : ls-subeq Gl G1+G2+X) 

<- ls-subeq-trans Dlse8 Dlse5 (Dlse9 : ls-subeq G2 G1+G2+X) 

<- ls-subeq-union Dlse9 Dlse6 Dlu3 (Dlse4 : ls-subeq G2+X G1+G2+X) 

<- st-sqsubeq-ex-resp-subeq Dsseel Dlse3 Dsseel' 

<- st-sqsubeq-ex-resp-subeq Dssee2 Dlse4 Dssee2' 

<- st-sqsubeq-ex-trans Dsseel' Dssee2' Dssee' 



- : evalc-imp-st-sqsubeq-ex-trc-gen 

(evalc-letp Devalc) 
Dtg 
Dls 
Dlu 

o. o. 
o o 

Dssee' 

<- evalc-imp-st-sqsubeq-ex-trc-gen Devalc Dtg Dls Dlu Dssee' 

- : evalc-imp-st-sqsubeq-ex-trc-gen 

(evalc-case-inl Devalc) 
Dtg 
Dls 
Dlu 

Q, Q, 
O O 

Dssee' 

<- evalc-imp-st-sqsubeq-ex-trc-gen Devalc Dtg Dls Dlu Dssee' 

- : evalc-imp-st-sqsubeq-ex-trc-gen 

(evalc-case-inr Devalc) 
Dtg 

Dls Dlu 

o. o. 
o o 

Dssee' 

<- evalc-imp-st-sqsubeq-ex-trc-gen Devalc Dtg Dls Dlu Dssee' 
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cps-imp-st-sqsubeq-ex-trs-gen 
cps-nil 
trs-gen-nil 

Dssee' 

<- st-sqsubeq-ex-ref 1 _ _ Dssee' 



cps-imp-st-sqsubeq-ex-trs-gen 
(cps-mod _ _ _ Dcpc) 
(trs-gen-mod Dlu Dls Dtg) 

Dssee' 

<- cpc-imp-st-sqsubeq-ex-trc-gen Dcpc Dtg Dls Dlu Dssee' 



cps-imp-st-sqsubeq-ex-trs-gen 
(cps-let _ _ _ Dcps2 Dcpsl) 

(trs-gen-let (Dlu : ls-union Gl G2 G1+G2) Dtg2 Dtgl) 
Dssee' 

<- cps-imp-st-sqsubeq-ex-trs-gen Dcpsl Dtgl Dsseel 

<- cps-imp-st-sqsubeq-ex-trs-gen Dcps2 Dtg2 Dssee2 

<- ls-union-imp-subeq Dlu (Dlsel : ls-subeq Gl G1+G2) (Dlse2 

<- st-sqsubeq-ex-resp-subeq Dsseel Dlsel Dsseel' 

<- st-sqsubeq-ex-resp-subeq Dssee2 Dlse2 Dssee2' 

<- st-sqsubeq-ex-trans Dsseel' Dssee2' Dssee' 



cpc-imp-st-sqsubeq-ex-trc-gen 
(cpc-write Dstu) 
trc-gen-wr 
Dls 
Dlu 



Dssee' 

<- st-update-imp-st-sqsubeq-ex Dstu Dls Dssee' 
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- : cpc-imp-st-sqsubeq-ex-trc-gen 
(cpc-let _ _ _ Dcpc2 Dcpsl) 

(trc-gen-let (Dlu : ls-union Gl G2 G1+G2) Dtg2 Dtgl) 
Dls 

(Dlu2 : ls-union G1+G2 X G1+G2+X) 

o. o. 
o o 

Dssee' 

<- cps-imp-st-sqsubeq-ex-trs-gen Dcpsl Dtgl Dsseel 

<- can-ls-union (Dlu3 : ls-union G2 X G2+X) 

<- cpc-imp-st-sqsubeq-ex-trc-gen Dcpc2 Dtg2 Dls Dlu3 Dssee2 

<- ls-union-imp-subeq Dlu2 (Dlse5 : ls-subeq G1+G2 G1+G2+X) (Dlse6 : ls-subeq 

<- ls-union-imp-subeq Dlu (Dlse7 : ls-subeq Gl G1+G2) (Dlse8 : ls-subeq G2 Gl- 

<- ls-subeq-trans Dlse7 Dlse5 (Dlse3 : ls-subeq Gl G1+G2+X) 

<- ls-subeq-trans Dlse8 Dlse5 (Dlse9 : ls-subeq G2 G1+G2+X) 

<- ls-subeq-union Dlse9 Dlse6 Dlu3 (Dlse4 : ls-subeq G2+X G1+G2+X) 

<- st-sqsubeq-ex-resp-subeq Dsseel Dlse3 Dsseel' 

<- st-sqsubeq-ex-resp-subeq Dssee2 Dlse4 Dssee2' 

<- st-sqsubeq-ex-trans Dsseel' Dssee2' Dssee' 



- : cpc-imp-st-sqsubeq-ex-trc-gen 

(cpc-read/noch Dcpc _) 

(trc-gen-rd Dtg) 
Dls 
Dlu 

o. o. 
o o 

Dssee' 

<- cpc-imp-st-sqsubeq-ex-trc-gen Dcpc Dtg Dls Dlu Dssee' 

- : cpc-imp-st-sqsubeq-ex-trc-gen 

(cpc-read/ch Devalc _ _) 

(trc-gen-rd Dtg) 
Dls 
Dlu 

o o 
o o 

Dssee' 

<- evalc-imp-st-sqsubeq-ex-trc-gen Devalc Dtg Dls Dlu Dssee' 



%worlds () 
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(evals-imp-st-sqsubeq-ex-trs-gen _ _ _) 
(evalc-imp-st-sqsubeq-ex-trc-gen _____) 
(cps-imp-st-sqsubeq-ex-trs-gen _ _ _) 
(cpc-imp-st-sqsubeq-ex-trc-gen _____). 
%total (Dl D2 D3 D4) 

(evals-imp-st-sqsubeq-ex-trs-gen Dl _ _) 
(evalc-imp-st-sqsubeq-ex-trc-gen D2 _ _ _ _) 
(cps-imp-st-sqsubeq-ex-trs-gen D3 _ _) 
(cpc-imp-st-sqsubeq-ex-trc-gen D4 ____). 



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
%% syntax-lemmas . thm 

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
val-eq-nat : nat-eq N N' -> val-eq (val-nat N) (val-nat N' ) -> type. 
%mode val-eq-nat +X1 -X2 . 

- : val-eq-nat nat-eq_ val-eq_. 
%worlds () (val-eq-nat _ _) . 
%total { } (val-eq-nat _ _) . 

val-eq-pr : val-eq VI VI' -> val-eq V2 V2' -> val-eq (val-pr VI V2 ) (val-pr VI' V2' 
%mode val-eq-pr +X1 +X2 -X3 . 

- : val-eq-pr val-eq_ val-eq_ val-eq_. 
%worlds (val-block) (val-eq-pr _ _ _) . 
%total { } (val-eq-pr _ _ _) . 



val-eq-inl : val-eq V V -> val-eq (val-inl V) (val-inl V) -> type. 

%mode val-eq-inl +X1 -X2 . 

- : val-eq-inl val-eq_ val-eq_. 

%worlds (val-block) (val-eq-inl _ _) . 

%total {} (val-eq-inl ). 



val-eq-inr : val-eq V V -> val-eq (val-inr V) (val-inr V) -> type. 

%mode val-eq-inr +X1 -X2 . 

- : val-eq-inr val-eq_ val-eq_. 

%worlds (val-block) (val-eq-inr _ _) . 

%total { } (val-eq-inr _ _) . 



val-eq-fns : ({vl}{v2} es-eq (Es vl v2) (Es' vl v2)) -> val-eq (val-fns Es) (val-fr 
%mode val-eq-fns +X1 -X2 . 

- : val-eq-fns ([vl] [v2] es-eq_) val-eq_. 
%worlds (val-block) (val-eq-fns _ _) . 
%total {} (val-eq-fns ). 



val-eq-fnc : ({vl}{v2} ec-eq (Ec vl v2) (Ec' vl v2)) -> val-eq (val-fnc Ec) (val-fr 
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%mode val-eq-fnc +X1 -X2 . 

- : val-eq-fnc ([vl] [v2] ec-eq_) val-eq_. 
%worlds (val-block) (val-eq-fnc _ _) . 
%total { } (val-eq-fnc _ _) . 

es-eq-val : val-eq V V -> es-eq (es-val V) (es-val V) -> type. 
%mode es-eq-val +X1 -X2 . 

- : es-eq-val val-eq_ es-eq_. 
%worlds (val-block) (es-eq-val _ _) . 
%total { } (es-eq-val _ _) . 

es-eq-plus : val-eq VI VI' -> val-eq V2 V2' -> es-eq (es-plus VI V2) (es-plus VI' \ 
%mode es-eq-plus +X1 +X2 -X3 . 

- : es-eq-plus val-eq_ val-eq_ es-eq_. 
%worlds (val-block) (es-eq-plus _ _ _) . 
%total { } (es-eq-plus _ _ _) . 

es-eq-mod : ec-eq Ec Ec' -> es-eq (es-mod Ec) (es-mod Ec' ) -> type. 
%mode es-eq-mod +X1 -X2 . 

- : es-eq-mod ec-eq_ es-eq_. 
%worlds (val-block) (es-eq-mod _ _) . 
%total { } (es-eq-mod _ _) . 

es-eq-app : val-eq VI VI' -> val-eq V2 V2' -> es-eq (es-app VI V2) (es-app VI' V2' ) 
%mode es-eq-app +X1 +X2 -X3 . 

- : es-eq-app val-eq_ val-eq_ es-eq_. 
%worlds (val-block) (es-eq-app _ _ _) . 
%total { } (es-eq-app _ _ _) . 

es-eq-let : 

es-eq Esl Esl' -> ({v} es-eq (Es2 v) (Es2' v) ) -> 
es-eq (es-let Esl Es2) (es-let Esl' Es2' ) -> type. 
%mode es-eq-let +X1 +X2 -X3 . 

- : es-eq-let es-eq_ ( [v] es-eq_) es-eq_. 
%worlds (val-block) (es-eq-let _ _ _) . 
%total { } (es-eq-let _ _ _) . 

es-eq-letp : 

val-eq VI VI' -> ({vl}{v2} es-eq (Es2 vl v2) (Es2' vl v2)) -> 
es-eq (es-letp VI Es2) (es-letp VI' Es2' ) -> type. 
%mode es-eq-letp +X1 +X2 -X3 . 

- : es-eq-letp val-eq_ ([vl] [v2] es-eq_) es-eq_. 
%worlds (val-block) (es-eq-letp _ _ _) . 

%total { } (es-eq-letp _ _ _) . 
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es-eq-case : 

val-eq VO VO' -> ({v} es-eq (Esl v) (Esl' v) ) -> ({v} es-eq (Es2 v) (Es2' v) ) -> 
es-eq (es-case VO Esl Es2) (es-case VO' Esl' Es2') -> type. 
%mode es-eq-case +X1 +X2 +X3 -X4 . 

- : es-eq-case val-eq_ ( [v] es-eq_) ( [v] es-eq_) es-eq_. 
%worlds (val-block) (es-eq-case ____). 

%total { } (es-eq-case ____). 

es-eq-memo : es-eq Es Es' -> es-eq (es-memo Es) (es-memo Es' ) -> type. 
%mode es-eq-memo +X1 -X2 . 

- : es-eq-memo es-eq_ es-eq_. 
%worlds (val-block) (es-eq-memo _ _) . 
%total { } (es-eq-memo _ _) . 

ec-eq-wr : val-eq V V -> ec-eq (ec-wr V) (ec-wr V) -> type. 
%mode ec-eq-wr + 
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